Steam Workshop Malware Hit 100,000 Wallpaper Engine Users, Stealing Accounts and Planting Backdoors
Updated
Updated · securelist.com · Jun 16
Steam Workshop Malware Hit 100,000 Wallpaper Engine Users, Stealing Accounts and Planting Backdoors
3 articles · Updated · securelist.com · Jun 16
Summary
Dozens of malicious Wallpaper Engine uploads on Steam Workshop were downloaded thousands to tens of thousands of times, with booby-trapped “application wallpapers” stealing Steam sessions or dropping backdoors and crypto miners.
Kaspersky said the abuse hinges on Wallpaper Engine’s ability to run standalone programs as wallpapers, letting attackers bundle EXE, DLL or script payloads that often launch automatically when a user applies the file.
One sample from December 2025 installed DarkKomet via Synaptics.exe, used a tainted AggregatorHost.dll to harvest Steam credentials, and sent stolen session data to a hacker-controlled server.
China accounted for 89% of malicious download attempts and Russia 5.5%, suggesting a campaign tailored mainly to Chinese gamers even though researchers said the tactic could spread globally.
Steam had removed the identified wallpapers and links by publication, but researchers warned new infected uploads keep appearing on the platform and urged users to scan Workshop wallpapers before applying them.