Skip to content

Steam Workshop Abused to Spread Malware via Wallpaper Engine App

A recent report by Kaspersky reveals that threat actors have been abusing Steam Workshop, a community hub for downloading game-related content, to spread various types of malware. The malicious activity involves uploading infected wallpapers to the platform, which are then downloaded and installed by users through the Wallpaper Engine app.

**Steam Workshop Exploited for Malware Distribution**

Steam Workshop is a built-in content-sharing platform on Valve’s Steam gaming service where users can upload and download community-created content for games and applications. The content includes mods, maps, skins, save files, tools, and other user-generated content such as wallpapers. In this case, attackers have been exploiting the Wallpaper Engine desktop customization application available on Steam, which has nearly a million reviews.

The Wallpaper Engine app supports four wallpaper types that render videos, interactive scenes, web pages that can play audio and video, and applications, which are active windows from software that Wallpaper Engine sets as the desktop background. Application wallpapers are executable Windows applications that can include games, desktop widgets, and system monitoring tools. Kaspersky warns that this feature represents a built-in security risk and has been abused to deliver malware to Steam users.

**Malicious Wallpapers Discovered on Steam Workshop**

According to the researchers, attackers have taken advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine. The report notes that dozens of these malicious application wallpapers were discovered on Steam Workshop, with each one having already been downloaded thousands – or even tens of thousands – of times.

Analysis of compromised wallpapers revealed that the malware is bundled either directly in the package or inside password-protected archives that the user is tricked into opening. The payloads execute automatically the moment the user installs the wallpaper, the researchers say. Kaspersky tested one of these wallpapers posing as a game called NTRaholic, which launched as expected upon execution to reduce suspicion. However, a backdoor file part of the DarkKomet malware family was installed in the background. A custom version of a system library called ‘AggregatorHost.dll’ was also installed to search for Steam accounts on the computer and steal account credentials.

**Multiple Malware Families Involved**

The researchers found multiple cases involving other malware families, such as the Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains. This shows that Wallpaper Engine was abused by multiple threat actors. While Steam has identified and removed all the malicious wallpaper applications that Kaspersky identified, researchers are warning that threat actors are likely to submit new ones.

**Mitigation Advice for Users**

To mitigate this risk, users are advised to download content from trusted sources and scan anything fetched from Steam Workshop using an up-to-date antivirus product.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *