Steam Workshop Flaw Exploited to Distribute Malware via Wallpaper Engine
Even conventional digital distribution ecosystems can morph into potent vectors for infection when user-generated content is capable of executing arbitrary code. Malicious actors have recently exploited the Steam Workshop to proliferate malware disguised as benign wallpapers via the Wallpaper Engine application.
Kaspersky Uncovers Ongoing Campaign
This sophisticated campaign was uncovered by security researchers at Kaspersky, who determined that these cyberattacks have been actively persisting since at least the twilight of 2025. These nefarious payloads meticulously masqueraded as interactive wallpapers for Wallpaper Engine, seamlessly infiltrating users’ systems through the Steam Workshop—a repository traditionally reserved for trusted user-generated modifications, maps, and cosmetic skins.
According to a detailed report on how dozens of malicious wallpapers found on Steam Workshop exhibit this behavior, the threat leverages specific application features. The underlying architectural vulnerability stems from the “scene-application” format native to Wallpaper Engine. These assets are, in essence, fully functional Windows executable programs designed to render dynamically on a user’s desktop. While this functionality is legitimately intended to support interactive widgets, mini-games, and system dashboards, threat actors have ingeniously subverted it to execute arbitrary malicious code silently in the background.
Automated Execution and High Infection Rates
Kaspersky’s telemetry indicates that the malicious payloads were either embedded directly within the wallpaper packages or concealed inside password-protected archives, accompanied by social engineering tactics to coerce users into manual extraction. Upon installation of the wallpaper, the malware executes autonomously. Alarmingly, these compromised files have already been downloaded thousands of times, with select instances eclipsing tens of thousands of downloads.
Dissecting the Payloads: From RATs to Info Stealers
During a technical analysis, researchers dissected a specific package masquerading as the popular utility NTRaholic. Upon execution, the application simulated a legitimate program while concurrently deploying a backdoor belonging to the notorious DarkKomet family—a Remote Access Trojan (RAT) engineered for covert administrative control. Concurrently, a secondary component scanned the victim’s host for active Steam accounts, attempting to harvest and exfiltrate sensitive credential data.
Beyond DarkKomet, Kaspersky identified a diverse arsenal of malware strains distributed via this vector, including Lumma and Vidar information stealers, cryptocurrency miners, botnet loaders, RanEngine components, and variants of ransomware. Although Valve has promptly intervened to purge the flagged wallpapers from Steam, the threat remains dynamic as adversaries can easily upload fresh iterations. To mitigate this risk, users are strongly urged to restrict downloads to highly reputable creators and scrutinize Steam Workshop content utilizing a robust antivirus solution armed with up-to-date signature databases.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
