Steam Workshop Malware Hijacks Wallpaper Engine Trust

Steam Workshop was supposed to make community content feel safe; attackers used that trust to ship Steam Workshop malware through Wallpaper Engine wallpapers.

Threat actors abused Valve's Steam Workshop to distribute malicious wallpaper packages that could hijack Steam accounts, install backdoors, run crypto miners, or deploy other malware, according to BleepingComputer. The campaign, detailed by Kaspersky on June 16, 2026, turns a cosmetic download into a software supply problem inside one of PC gaming's most familiar distribution channels.

The deeper signal is not that malware hid in a file. That part is old. The signal is that attackers found a convincing place to put executable risk where users least expect it: a wallpaper subscription.

Steam Workshop malware exposes the trust gap inside Wallpaper Engine

Wallpaper Engine is popular because it makes the desktop feel personal. Users browse, subscribe, and refresh their setup without thinking like system administrators. That habit is exactly what made the app attractive to attackers.

Kaspersky says Wallpaper Engine supports four wallpaper types: videos, interactive scenes, web pages, and applications. The fourth category is the dangerous one. Application wallpapers are executable Windows applications that can include games, widgets, system monitors, or other active windows set as the desktop background.

That means a wallpaper can behave less like an image and more like software.

"Trusted platforms can be abused to distribute malware: the attacks rely on users trusting content hosted within legitimate ecosystems. While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content," commented Maxim Starodubov, a cybersecurity expert at Kaspersky.

The platform trust gap is clear:

XOOMAR analysis: The campaign challenges three trust layers at once: Valve's moderation of Workshop uploads, Wallpaper Engine's support for executable wallpaper types, and the social proof users attach to community content. When those layers blur, a download that looks decorative can become an infection chain.

Cosmetic downloads became infection chains through application wallpapers

The attack path is simple enough to scale. Attackers uploaded wallpaper packages to Steam Workshop, disguised harmful files inside content that appeared harmless, then relied on users to install them through Wallpaper Engine.

Kaspersky found two main delivery methods. In some cases, the malicious files were bundled directly with the wallpaper package as compromised EXE files, DLLs, or scripts. In others, attackers hid malware inside password-protected archives, with passwords placed in archive names or JSON configuration files.

Once the user installed or applied the wallpaper, the payload could execute automatically.

That execution model is the heart of the issue. A static wallpaper would offer little attack surface. An application wallpaper changes the equation because it can run active code on the user's Windows machine. The wallpaper can still look normal. It can launch a game. It can show animation. It can give the victim no obvious reason to suspect compromise.

Kaspersky tested one malicious wallpaper posing as a game called NTRaholic. The game launched as expected, which reduced suspicion. In the background, the wallpaper installed Synaptics.exe, identified as part of the DarkKomet malware family, and dropped a modified AggregatorHost.dll designed to search for Steam accounts and steal credentials.

The social engineering layer makes this worse. Attackers don't need to persuade users to run a suspicious installer from a random domain. They can wrap the payload in content that looks like a game-themed wallpaper, a popular style, or a normal community upload.

XOOMAR analysis: This is the same trust failure that keeps appearing across digital platforms. Users don't only trust companies. They trust interfaces, ratings, comments, familiar flows, and the absence of friction. We see a similar trust problem in financial scams, where familiar rails and expected user actions can mask abuse, as covered in Scammers Push UK APP Fraud to £576M as Banks Lose Grip. In both cases, the attacker wins by looking native to the system.

The Steam Workshop malware numbers show moderation pressure

The confirmed scale is not theoretical. Kaspersky said it discovered dozens of malicious application wallpapers on Steam Workshop, and each had already been downloaded thousands or even tens of thousands of times.

Wallpaper Engine itself is not obscure. Kaspersky's Securelist report says the app has around 100,000 daily active users and nearly a million reviews. BleepingComputer also notes that it has nearly a million reviews on Steam.

The campaign had been active since at least late 2025. One analyzed sample was discovered in December 2025. Kaspersky said users in China and Russia were primarily targeted, with other victims located in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. Securelist also said its systems caught 89% of malicious download attempts in China.

Those figures matter because they show how quickly a niche-looking content type can gain real reach. A malicious package doesn't need to dominate Steam Workshop. It only needs to survive long enough to collect subscriptions and downloads.

The useful indicators now are not just malware names. Platform defenders should care about:

• Package count: How many malicious wallpapers were uploaded before detection.
• Download count: Whether items reached thousands or tens of thousands of users.
• Upload timing: Whether activity clustered after late 2025 or continues in waves.
• File types: EXE, DLL, scripts, password-protected archives, and JSON-assisted payloads.
• Account reputation: Whether uploader age, prior activity, or creator history correlated with risk.
• Time-to-removal: How long malicious packages stayed live after upload or reporting.
• Detection visibility: Whether public scanning services and endpoint tools flagged files before users installed them.

Valve has removed all malicious wallpaper applications identified by Kaspersky, according to BleepingComputer. That matters. It also doesn't close the problem. Kaspersky warned that threat actors are likely to submit new ones.

Valve, Wallpaper Engine developers, creators, and users now share the fallout

Valve's problem is bigger than cleaning up one batch of uploads. Steam Workshop works because it lowers friction for community-created content. More friction means more complaints from creators and users. Less friction gives attackers room.

Wallpaper Engine's developers face a sharper technical tradeoff. The app's value comes from rich, flexible, user-submitted wallpapers. The application wallpaper feature makes that richness possible. It also means the app can become a launcher for third-party executable code.

Legitimate creators get caught in the middle. If platform controls tighten, they may face stricter packaging rules, more false positives, or delays before uploads go live. If controls don't tighten, users may start treating interactive wallpapers and lesser-known creators as risky by default.

Users carry the immediate cost. Many won't inspect package contents. Many won't distinguish between a video wallpaper and an application wallpaper. Many will assume that Steam's interface means the package has been vetted to a higher standard than a random download.

That assumption is now broken.

XOOMAR analysis: Valve and Wallpaper Engine do not need to eliminate community creativity to reduce risk. They need to make executable risk visible. A user choosing a live wallpaper should know whether it is merely playing media, loading web content, or running a Windows application. Those are not the same security decision.

The campaign uses an old malware playbook with a gaming-platform twist

The playbook is familiar: attackers move into places where users install third-party content quickly and rely on community signals. Modding communities, game cheat forums, browser extensions, Discord file sharing, and open-source package repositories have all shown versions of this pattern.

The Steam Workshop version has a sharper disguise. A wallpaper looks decorative. It doesn't feel like a mod loader, a developer package, or a utility with system permissions. That lowers suspicion.

The account target also makes sense. Kaspersky said the main goal was stealing gaming accounts and deploying additional malware. The modified AggregatorHost.dll in the analyzed sample searched for Steam processes, harvested account information, hijacked active Steam sessions, and sent collected data to a command-and-control server.

Once attackers control an active Steam session, Kaspersky said they can use the victim's account to upload more malicious wallpapers to Steam Workshop. That creates a distribution loop: steal an account, use its legitimacy, seed more malicious content.

The malware mix also points away from a single neat campaign. Kaspersky observed DarkKomet, Lumma, Vidar, RenEngine, cryptocurrency miners, botnet loaders, and ransomware strains across different malicious wallpapers. Researchers said the activity was likely conducted by multiple independent threat actors rather than one group.

That detail matters. If one group disappears, the method can remain.

PC gamers and creators should treat Workshop items like software

The practical lesson is blunt: Steam Workshop malware means users should treat certain Workshop items as software, not decoration.

For users, the safer posture is:

• Favor known creators: Reputation is not a guarantee, but unknown uploaders deserve more scrutiny.
• Check recent comments: Look for complaints about account loss, antivirus alerts, odd files, or sudden updates.
• Avoid suspicious application wallpapers: A wallpaper that runs an embedded game or executable has a different risk profile than a video.
• Scan downloaded content: Kaspersky recommends scanning anything fetched from Steam Workshop with an up-to-date antivirus product.
• Watch active sessions: Steam account hijacking was a confirmed goal in the analyzed sample.

Creators should expect pressure for clearer package behavior. If a wallpaper runs code, loads scripts, drops companion files, or calls external resources, users and platforms will increasingly expect that to be documented. Safer templates, signed assets, and permission labels would reduce guesswork.

For Valve and app developers, the required controls are also clearer:

• Pre-publication scanning for executable wallpaper packages.
• Behavioral sandboxing for application wallpapers before they reach users.
• Uploader reputation checks that weigh account history and upload patterns.
• Faster takedown loops when malware reports arrive.
• Clear warnings that distinguish media wallpapers from executable ones.

Popularity cannot keep functioning as a proxy for safety. Download counts and community engagement are social signals. They are not security signals.

Stricter Workshop scanning is the likely pressure point now

Attackers will keep testing game-adjacent creator marketplaces because they offer three things malware operators want: reach, trust, and users trained to install community files.

The next pressure point is visible security around risky asset types. If Valve and Wallpaper Engine respond aggressively, expect stronger scanning around application wallpapers, password-protected archives, embedded scripts, and newly created uploader accounts. If the response stays mostly reactive, copycat campaigns have room to move into other customization and modding channels with similar trust dynamics.

The thesis to watch is simple. This campaign shows that trusted community distribution can become malware infrastructure when executable content is treated like decoration.

Evidence that would confirm the thesis: more malicious wallpapers appearing after takedowns, broader malware families using the same route, or tighter Valve controls around executable Workshop items. Evidence that would weaken it: fast, durable removal of new uploads, clear user warnings for application wallpapers, and a visible drop in malicious packages reaching meaningful download counts.

The safest future for community content isn't less creativity. It's better verification, faster detection, and fewer assumptions that a pretty download is harmless.

Impact Analysis

• Attackers used Steam Workshop’s trusted ecosystem to make malicious downloads look harmless.
• Wallpaper Engine application wallpapers can behave like executable software, not just cosmetic files.
• The campaign shows how familiar gaming platforms can become supply-chain-style malware delivery channels.