Risk actors are exploiting Steam Workshop, Valve’s neighborhood hub for downloading game-related content material, to push numerous malware hidden in wallpaper packages.
Contaminated wallpapers can result in hijacking your Steam account, compromising your system with backdoors, or operating cryptomining processes.
Steam Workshop is a content material sharing platform constructed into Valve’s Steam sport service that permits customers to add and obtain community-created content material for video games and purposes.
Content material contains MODs, maps, skins, save recordsdata, instruments, and different user-generated content material corresponding to wallpapers.
Malware in wallpaper
Researchers from cybersecurity agency Kaspersky Lab stated in a report right now that the assault exploited Wallpaper Engine, a desktop customization software out there on Steam that has almost 1 million evaluations.
Wallpaper Engine helps 4 wallpaper sorts that render movies, interactive scenes, internet pages that may play audio and video, and purposes (lively home windows of software program that Wallpaper Engine units as your desktop background).
Software wallpapers are executable Home windows purposes that embody video games, desktop widgets, system monitoring instruments, and extra. Kaspersky Lab warns that this characteristic has built-in safety dangers and is being exploited to distribute malware to Steam customers.
Based on researchers, attackers have been exploiting this safety hole since at the least late 2025 by importing malicious wallpaper recordsdata to the Steam Workshop and tricking customers into putting in them by the wallpaper engine.
“We discovered dozens of leaked wallpapers of those malicious purposes within the Steam Workshop, every of which had already been downloaded hundreds, and even tens of hundreds of instances,” Kaspersky famous.
Supply: Kaspersky
Evaluation of the compromised wallpapers revealed that the malware was bundled both instantly within the bundle or inside a password-protected archive that customers have been tricked into opening.
Based on the researchers, the payload runs mechanically the second a person installs the wallpaper.
Supply: Kaspersky
Kaspersky examined certainly one of these wallpapers disguised as a sport referred to as NTRaholic. To alleviate any doubts, after I ran it it booted as anticipated. Nevertheless, the backdoor file portion of the DarkKomet malware household was put in within the background.
A customized model of a system library referred to as “AggregatorHost.dll” was additionally put in to seek for Steam accounts on the pc and steal account credentials.
Supply: Kaspersky
Researchers discovered a number of instances involving different malware households, together with Lumma and Vidar data thieves, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware shares, indicating that Wallpaper Engine was exploited by a number of attackers.
Though Steam has recognized and eliminated all malicious wallpaper purposes recognized by Kaspersky Lab, researchers warn that risk actors might submit new wallpaper purposes.
Other than downloading content material from trusted sources, Kaspersky recommends customers to scan all the pieces they retrieve from the Steam Workshop with an up-to-date antivirus product.
Safety groups doc 54% of profitable assaults and problem a warning on solely 14%. The remainder strikes invisibly by the setting.
Picus’ whitepaper reveals the best way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
