The trick works because the platform is trusted and the feature is real. Kaspersky has identified dozens of malicious “application wallpapers” on the Steam Workshop, distributed through Wallpaper Engine — the popular Steam app that lets users share animated desktop wallpapers. The catch is that Wallpaper Engine legitimately supports application wallpapers: wallpapers that are actually executable programs. Attackers are weaponizing that sanctioned capability to ship runnable malware inside something that looks like a desktop theme.
How the attack works
Wallpaper Engine (Steam app ID 431960) accepts user-generated content via the Workshop, and the malicious entries hide their payloads using two patterns Kaspersky’s Securelist team documented:
- Archives that bundle a malicious EXE, DLL, or script alongside the wallpaper or a game file, so the payload rides along with seemingly benign content.
- Password-protected archives with the password supplied to the user — which lets the payload slip past simple automated scanning while still running when applied.
Once the item is installed or applied, the payload executes automatically. In one analyzed sample, a DarkKomet backdoor (Synaptics.exe) deployed alongside a game executable; a secondary module then installed a modified library that locates Steam and extracts account credentials from active Steam sessions before exfiltrating them.
The payloads
This is not one actor with one tool. Kaspersky assesses multiple independent threat actors opportunistically abusing the same vector, which is reflected in the spread of malware families observed:
- DarkKomet — backdoor / RAT for account theft and remote control
- Lumma — infostealer
- Vidar — infostealer
- RenEngine — loader
Securelist’s broader analysis references crypto miners and ransomware variants in the wider payload set as well, though the firm’s press release names the four families above as the confirmed core. The consistent goal across them is stealing Steam and gaming accounts and deploying follow-on malware — and Steam accounts, with their linked payment methods and resale value, are a prize in their own right.
Scale and targeting
Kaspersky identified dozens of malicious application wallpapers, with individual items downloaded “thousands — or even tens of thousands — of times” each. No aggregate victim total was published. The geographic distribution of malicious download attempts is striking: China accounted for 89%, followed by Russia (~5.5%), with a long tail across Singapore, Hong Kong, Germany, Vietnam, India, and Canada. The campaign has been running since late 2025 — this is an established, ongoing operation, not a one-off.
Valve’s response, and the catch
By the time Kaspersky published, Steam had already removed the identified malicious wallpapers and their links. That is the good news. The bad news is Kaspersky’s explicit warning that new infected wallpapers keep appearing, and that users should not rely on Steam’s moderation to catch everything. The firm recommends scanning any wallpaper with antivirus before applying it. (No statement from the Wallpaper Engine developer appeared in the reporting reviewed.)
Why user-generated content keeps being the soft spot
This campaign is a clean illustration of a recurring supply-chain weakness: trusted platforms that host user-generated content inherit the platform’s trust without the platform’s vetting. A malicious wallpaper appears inside the legitimate Steam client UI, downloads through the normal Workshop subscription flow, and — because Wallpaper Engine sanctions executable wallpapers — runs code by design rather than by exploit. Steam has been a malware-distribution surface before, including an infostealer smuggled into an early-access game, and the Workshop’s scale and engaged audience make it a durable target.
For users, the defenses are unglamorous but effective: be wary of password-protected wallpaper archives, distrust any wallpaper that ships extra executables, scan before applying, and keep Steam Guard and unique credentials in place so a single stealer infection doesn’t cascade into a hijacked account. One sourcing note: this campaign currently traces almost entirely to Kaspersky’s own research, so expect the details to firm up as other vendors corroborate.
