Summary
- Kaspersky discovered harmful downloads of Wallpaper Engine on Steam Workshop, with numerous installations.
- This malware compromised Steam accounts, hijacked active sessions, and introduced additional threats, including Lumma and Vidar infostealers.
- This revelation follows a series of malware incidents linked to Steam that have affected gamers and cryptocurrency holders.
In a report released on Monday, Kaspersky revealed that cybercriminals leveraged Steam Workshop to spread malicious Wallpaper Engine downloads masquerading as animated desktop backgrounds, many featuring anime female characters.
“The application-based wallpaper feature permits executable programs to operate directly on a user's Windows machine, enabling attackers to deliver harmful software disguised as legitimate content,” stated Kaspersky, noting the identification of numerous compromised wallpaper packages available through Steam Workshop.
Kaspersky also detected wallpapers that distributed Lumma and Vidar infostealers, which are malware types frequently employed to extract credentials, browser data, and cryptocurrency wallet details, along with the RenEngine loader. Researchers indicated that the activity likely involved various threat actors rather than a singular group.
“Many of these packages recorded thousands or even tens of thousands of downloads,” the firm reported.
Kaspersky indicated that the primary victims of this malware campaign were located in China and Russia, although infections were also reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
The harmful wallpapers either came with malware bundled directly or concealed it within password-protected files that would unpack post-installation. The company highlighted an incident from 2025 where a wallpaper seemingly launched a legitimate desktop game while covertly installing the DarkKomet backdoor.
"Trusted platforms can be exploited to disseminate malware: These attacks depend on users trusting content hosted within legitimate ecosystems,” remarked Kaspersky researcher Maxim Starodubov. “Although many of the involved malware families are well-known, the delivery method allows attackers to reach a vast number of potential victims through seemingly benign content."
This discovery contributes to an increasing number of malware incidents associated with Steam.
In July 2025, cybersecurity firm Prodaft reported that the Steam Early Access title Chemia had been compromised to spread Hijack Loader, Fickle Stealer, and Vidar Stealer malware aimed at cryptocurrency wallets and user information. In March, the FBI announced an investigation into malware disseminated through several Steam games, including Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova.