Gamers searching for the perfect animated background just discovered a harsh truth. The same Steam Workshop they have relied on for years now serves as a ready vehicle for account theft and system compromise.
Researchers at Kaspersky uncovered dozens of malicious items hidden among legitimate wallpaper submissions for Wallpaper Engine. Each had racked up thousands or tens of thousands of downloads before detection. The campaign stretches back to at least late 2025. Some evidence points to activity as early as August of that year.
And the method proves deceptively simple. Wallpaper Engine supports four wallpaper formats. Three stay relatively contained. The fourth lets users run actual Windows applications as desktop backgrounds. Attackers seized on that capability. They packaged executables and supporting files inside wallpaper archives. Users who subscribed through the Workshop and applied the content triggered immediate execution.
“We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times,” Kaspersky reported on June 16, 2026.
The payloads vary. Some drop the DarkKomet backdoor. Others install Lumma or Vidar infostealers. Cryptocurrency miners appear. So do botnet loaders and ransomware. One sample masqueraded as a simple desktop game called NTRaholic. It launched a playable window to build confidence. In the background it placed a file named Synaptics.exe from the DarkKomet family. It also installed a modified AggregatorHost.dll library designed to hunt for Steam credentials and hijack live sessions.
Data from the stolen sessions traveled to command servers including one at 120.48.156.17. Attackers then used the compromised accounts to upload fresh malicious wallpapers. The cycle fed itself. Steam later removed the identified submissions. Yet experts caution that replacements arrive quickly.
Targeting shows clear geographic focus. Eighty-nine percent of malicious download attempts originated in China. Russia accounted for 5.5 percent. The wallpapers often featured art styles popular with Chinese gamers. That choice boosted appeal and lowered suspicion in the primary victim pool.
Neither Valve nor the Wallpaper Engine developers introduced a vulnerability in the classic sense. The application wallpaper feature works as designed. It simply allows executable code to run with user permission. Community trust in the Workshop did the rest. Password-protected archives added another layer. Attackers embedded the password in the file name or a JSON configuration file. Users followed instructions without hesitation.
BleepingComputer covered the findings the same day. The report detailed how multiple independent threat actors exploited the same vector simultaneously. Different malware families operated in parallel. That variety suggests the technique spread beyond a single group. BleepingComputer noted that Steam acted on Kaspersky’s list and purged the offending items. New uploads remain a constant risk.
TechRadar followed with its own analysis on June 17. The publication stressed that victims should treat every Workshop download with the same caution they would apply to any executable from an unknown source. TechRadar highlighted the scale. Tens of thousands of installations across dozens of items. The numbers reveal how quickly trust can be weaponized inside a platform built on sharing.
MakeUseOf reinforced the message hours later. The site reminded readers that Wallpaper Engine itself carries no fault. Its 20 million downloads and strong reputation remain intact. The danger sits entirely in unvetted community content. MakeUseOf advised users to examine creator histories, read comments, and avoid anything that arrives as a password-protected archive or includes extra executables.
Security professionals have seen similar patterns before. User-generated content platforms invite innovation. They also invite abuse. Steam Workshop powers mods for countless titles. Its open nature drives engagement. Yet that openness now collides with the reality that gamers often run with elevated privileges and valuable linked accounts.
The financial incentive looks obvious. Stolen Steam inventories can be sold. Credential access opens doors to payment methods. Cryptominers generate passive income. Ransomware extracts direct payment. One successful infection can fund the next wave of uploads.
So what should users do? Scan every new wallpaper with updated antivirus software before applying it. Favor creators with long track records and consistent positive feedback. Avoid application-type wallpapers from new or low-activity accounts. If a download prompts for a password or includes unexpected files, walk away.
Those already concerned can review their subscribed Workshop items inside Wallpaper Engine. Remove anything unfamiliar. Run full system scans. Change Steam passwords and enable two-factor authentication where not already active. Monitor account activity for unusual logins or trade offers.
Valve has not issued a broad public statement beyond its removal actions. The company continues to moderate Workshop content reactively. Kaspersky and others urge a more proactive stance. Automated scanning of application wallpapers could help. Stronger warnings at the point of subscription might reduce click-through rates on suspicious items.
This episode exposes a broader tension. Platforms that thrive on community creativity must balance accessibility with safety. Gamers want fresh content without friction. Security teams want verification without bureaucracy. The gap between those desires just got filled with malware.
Wallpaper Engine still ranks among the most popular customization tools on Steam. Its core functionality remains sound. The threat lives in the supply chain of shared files. Until detection improves or user habits shift, the advice stays blunt. Treat that shiny new wallpaper the same way you would an unsolicited executable. Verify first. Apply later.
Because in the end, a beautiful background loses its appeal when it opens the door to account takeover or system-wide infection.
WebProNews is an iEntry Publication