Wallpaper Engine is removing all application-type wallpapers from the Steam Workshop after Kaspersky reported malware embedded in those files. Users have a one-week grace period ending July 7 to back up their files.
In June 2026, the Steam utility Wallpaper Engine became the target of a coordinated malware campaign. Cybersecurity firm Kaspersky reported on June 16 that it had discovered several dozen infected wallpaper packages on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's application-type wallpaper feature, which can execute Windows programs, to bundle malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware included information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.
On June 30, the Wallpaper Engine team responded by announcing that it will delete all application-type wallpapers from the Steam Workshop, citing security risks. The feature, which allowed .exe files to run as wallpapers, accounted for only 0.5% of total wallpapers. Users have a one-week grace period to back up files. The removal eliminates a legacy feature that had become a vector for malware, affecting a very small portion of the user base but addressing a security controversy that drew significant attention.
Synthesized by Yomimono from the cited Yomimono stories below, each itself
sourced, then editorially reviewed. Every
fact links the story it came from.
Jul 1
The Wallpaper Engine Team announced on June 30 that it will delete all application-type wallpapers from the Steam Workshop within about a week, following reports of malware in the format. The decision comes after cybersecurity firm Kaspersky reported on June 16 that dozens of application-type wallpapers on the Steam Workshop contained malware, with each downloaded thousands or tens of thousands of times. Application-type wallpapers, which allow creators to run executable (.exe) files as wallpapers, account for only 0.5% of all wallpapers on the platform, and the number of affected users is very small. The team explained that the application type was a legacy feature from the software's early development, inspired by Android sideloading, and was hidden by default with a warning screen. Development has since progressed with built-in editors and SceneScript, a JavaScript-based language that can handle events like time and mouse clicks, making custom executables unnecessary. The team stated that the risks of maintaining the application type now outweigh its benefits. Users who wish to keep their application-type wallpapers can back them up locally before the deletion. The removal applies only to the Steam Workshop; users can still create application-type wallpapers on their own.
Jun 17
Cybersecurity firm Kaspersky reported on June 16 that it discovered malware embedded in wallpapers for the popular Steam utility Wallpaper Engine. Dozens of infected wallpaper packages were found on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's 'application-type wallpaper' feature, which can execute Windows programs, to sneak in malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.