Kaspersky: Attackers Distribute Malware via Steam Workshop Wallpapers
Quick Look
- Kaspersky reports attackers are using Steam Workshop to distribute malware disguised as animated wallpapers via the Wallpaper Engine application.
- The malicious downloads, some with tens of thousands of downloads, target users in China, Russia, and other countries, stealing credentials and cryptocurrency.
AI-generated summary
Why It Matters
Attackers are exploiting the Steam Workshop platform and the Wallpaper Engine application to distribute malware, disguised as animated desktop wallpapers. This method leverages user trust in legitimate ecosystems to deliver malicious software.
In the report published on Monday, Kaspersky said attackers used Steam Workshop to distribute malicious Wallpaper Engine downloads disguised as animated desktop wallpapers, many featuring female anime characters.
“The application-based wallpaper feature allows executable programs to run directly on a user's Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content,” Kaspersky said, adding that it had identified dozens of infected wallpaper packages available through Steam Workshop.
Kaspersky also identified wallpaper distributing Lumma and Vidar infostealers, malware families commonly used to steal credentials, browser data, and cryptocurrency wallet information, alongside the RenEngine loader. Researchers said the activity appeared to involve multiple threat actors rather than a single group.
“Many of these packages had thousands or even tens of thousands of downloads,” the firm said.
According to Kaspersky, victims of the malware campaign were primarily in China and Russia, though infections were also seen in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
The malicious wallpapers either bundled malware directly or hid it inside password-protected archives that unpacked after installation, the company said, noting a 2025 case where a wallpaper appeared to launch a legitimate desktop game while secretly installing the DarkKomet backdoor.
"Trusted platforms can be abused to distribute malware: The attacks rely on users trusting content hosted within legitimate ecosystems,” Kaspersky researcher Maxim Starodubov said in a statement. “While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content."
The findings add to a growing list of Steam-related malware incidents.
Open Questions
- How many users were successfully compromised?
- What specific actions are Steam and Valve taking?
- Will new security measures be implemented on Steam Workshop?






