- malware
- stealer
- gaming
- steam
news
Malicious Steam Workshop Wallpapers Steal Accounts
Kaspersky finds dozens of trojanized Wallpaper Engine app wallpapers on Steam Workshop with tens of thousands of downloads.
Summary
Kaspersky researchers documented dozens of malicious application-type wallpapers on Steam Workshop, distributed through Wallpaper Engine. Attackers embed malware in standalone desktop applications disguised as mini-games, planners, system monitors, and interactive widgets. Payload families include DarkKomet backdoors, Lumma/Vidar infostealers, RenEngine loaders, and ransomware.
The campaign operates as a self-propagating loop: compromised Steam accounts upload additional malicious wallpapers, expanding reach without external distribution infrastructure.
Wallpaper Engine Attack Surface
Wallpaper Engine supports multiple wallpaper types:
| Type | Risk |
|---|---|
| Image/video | Low — static media |
| Web | Medium — embedded JS if misconfigured |
| Application | High — full native executables with user interaction |
Malicious entries abuse the Application type — users explicitly launch a bundled .exe believing it is part of the wallpaper experience. Steam's Workshop moderation catches some uploads, but attackers replenish faster than removal.
Campaign Architecture
Distribution
- Attacker uploads Application wallpaper with trojanized binary.
- Social engineering in Workshop description — "interactive game wallpaper", "system stats widget".
- Victim subscribes and launches wallpaper — malware executes.
- Stealer harvests Steam session tokens and credentials.
- Compromised account uploads new malicious wallpapers — cycle repeats.
Primary Payload — DarkKomet Chain
Representative sample behavior:
- Drops
Synaptics.exe(DarkKomet RAT masquerading as synaptics driver). - Hijacks
AggregatorHost.dllfor persistence and injection. - Locates Steam client session files and
config/loginusers.vdf. - Exfiltrates to
hxxp://120.48.156[.]17/ey.php.
Additional Payload Families
- Lumma / Vidar — browser credential and cookie theft
- RenEngine — modular loader for follow-on payloads
- Ransomware — observed in subset of samples (lower prevalence)
Victim Geography
Kaspersky telemetry (reported):
| Region | Share |
|---|---|
| China | 89% |
| Russia | 5.5% |
| Other | 5.5% |
Geographic concentration suggests initial seeding via Chinese-language Workshop descriptions and regional gaming communities.
Indicators of Compromise
| Type | Value |
|---|---|
| Network | 120.48.156[.]17 (exfil endpoint) |
| File | Synaptics.exe in non-standard path |
| File | Hijacked AggregatorHost.dll outside System32 |
| Process | Wallpaper Engine child spawning unexpected .exe from Workshop content path |
| Steam | Unauthorized Market/Workshop uploads from user account |
Workshop content paths typically under Steam install:
Steam\steamapps\workshop\content\431960\
Impact
Gamers: Account takeover, inventory theft (CS2 skins, etc.), fraudulent Market transactions.
Enterprises: Gaming on corporate endpoints — stealer exfiltrates corporate browser sessions alongside Steam tokens.
Steam platform: Reputation damage; moderation resource exhaustion.
Mitigation
- Disable Application-type wallpapers on managed endpoints via policy.
- Scan Workshop downloads with AV before launching — treat as untrusted executables.
- Steam Guard — enable mobile authenticator; monitor account activity for Workshop uploads.
- Network block — IOC IP and similar bulletproof hosting ranges.
- User education — Wallpaper Engine Application type runs real programs; "wallpaper" label does not imply safety.
Steam removed identified items but new infected wallpapers continue appearing — assume ongoing campaign.
Timeline
| Date | Event |
|---|---|
| 2026-06-10 | Kaspersky internal detection spike on Wallpaper Engine paths |
| 2026-06-16 | Securelist publication |
| 2026-06-17 | vx-underground indexing; community IOC sharing |