Malicious Wallpaper Engine

Malicious Wallpaper Engine Downloads Targeted Steam Accounts

A number of malicious Wallpaper Engine uploads were recently found on the Steam Workshop, with some collecting thousands of downloads before they were taken down.

The uploads were not ordinary wallpapers. They were application-based wallpapers capable of running Windows programs, and attackers used that feature to hide malware inside content that looked like animated backgrounds, desktop tools, or small games.

Wallpaper Engine itself was not hacked. The problem came from users abusing the Steam Workshop to distribute dangerous community content.

That distinction matters. A JPG, PNG, or video wallpaper cannot normally run a program on your computer. An application wallpaper can, which means it should be treated with the same caution as any other executable file.

The Wallpaper Still Worked

What made these uploads dangerous was that many of them appeared to work normally.

According to researchers at Kaspersky, one malicious wallpaper launched a small desktop game just as the user expected. Behind the scenes, however, it also installed the DarkKomet remote-access backdoor along with a modified Windows file designed to find Steam and steal account information.

The malware could also hijack an active Steam session and send the stolen data back to a server controlled by the attacker.

Researchers found signs that compromised Steam accounts may have been used to upload more infected wallpapers, allowing the malware to spread through accounts that appeared legitimate.

The malicious uploads were linked to several different types of malware, including:

  • Lumma and Vidar information stealers
  • DarkKomet remote-access malware
  • Cryptocurrency miners
  • Malware loaders and botnet tools
  • Ransomware

In some cases, the malware was included directly in the wallpaper files. In others, it was hidden inside password-protected archives. The attackers sometimes placed the password in the archive name or another included file, likely to make automated scanning more difficult.

More Than One Group Was Involved

Kaspersky does not believe this was one large, organized campaign.

Instead, the uploads appear to have come from several unrelated attackers who were all using the same basic trick: hiding malware inside application wallpapers and distributing them through the Steam Workshop.

Most of the detected download attempts came from China, although activity was also seen in Russia, Singapore, Hong Kong, Germany, Vietnam, India, and Canada.

That does not mean players in other countries were safe. There is nothing regional about the attack method, and the same approach could easily be used against Steam users anywhere.

The known malicious wallpapers were removed after Steam was notified. That does not mean every dangerous upload has been found, and it does not stop attackers from creating new accounts and trying again.

What Wallpaper Engine Users Should Check

Simply having Wallpaper Engine installed does not mean your computer is infected.

The main concern is application wallpapers downloaded from unknown or questionable creators, especially wallpapers that include executable files, archives, games, launchers, or extra installation instructions.

Be Careful With Application Wallpapers

Treat an application wallpaper the same way you would treat any program downloaded from the internet.

Before subscribing, check the creator’s account, previous uploads, comments, update history, subscriber count, and how long the item has been available.

A large subscriber count is not proof that something is safe, but a brand-new account uploading executable content should immediately raise suspicion.

Standard image and video wallpapers do not have the same ability to run Windows programs.

Remove Anything Suspicious

Look through the wallpapers you installed recently, especially application-based wallpapers from unfamiliar creators.

Unsubscribe from anything you do not recognize or no longer trust. Do not manually open executable files or password-protected archives included with a wallpaper.

Removing the wallpaper alone may not remove malware that has already been installed, so continue with a full security scan.

Run a Full Malware Scan

Update Windows Security or your preferred antivirus software before running the scan.

Start with a full system scan. Anyone who believes a suspicious wallpaper may have executed should also consider running Microsoft Defender Offline.

Defender Offline restarts the computer and scans outside the normal Windows environment, which makes it more difficult for some malware to hide or interfere with the scan.

In Windows Security, go to:

Virus & threat protection → Scan options → Microsoft Defender Antivirus (offline scan)

Save your work first because the computer will restart.

Secure Your Steam Account

Anyone who installed a suspicious application wallpaper should assume their Steam session may have been exposed.

Use a different, trusted device to:

  • Change your Steam password
  • Change the password for the email connected to Steam
  • Remove or deauthorize devices you do not recognize
  • Make sure Steam Guard is enabled
  • Review recent trades, purchases, messages, and account changes

Do not rely on a password change alone. Stolen sessions, browser cookies, and compromised email accounts can sometimes give attackers other ways back in.

Change Other Important Passwords

Information stealers such as Lumma and Vidar do not only target Steam.

They may also collect browser passwords, saved cookies, account sessions, cryptocurrency data, email credentials, and other personal information stored on the computer.

Once the system has been cleaned, change the passwords for important accounts that were used on that machine.

Start with:

  • Email accounts
  • Banking and financial accounts
  • Password managers
  • Gaming accounts
  • Cryptocurrency accounts

Do not change passwords from a computer that may still be infected.

Community Content Can Still Be Dangerous

Steam Workshop is usually safer than downloading random files from an unknown website, but it is not a security guarantee.

Mods, plugins, launchers, custom tools, and application wallpapers can all contain executable code. Once that code is allowed to run, it has the same potential to cause damage as software downloaded anywhere else.

The rule is simple:

If community content can run code, treat it like software—not decoration.

The known infected Wallpaper Engine uploads have been removed, but attackers now know this method can work. Similar uploads will almost certainly appear again, either on Steam Workshop or other platforms built around user-created content.

Check the creator. Question executable content. Scan anything suspicious. Protect the Order.