Cybersecurity researchers at Kaspersky have uncovered a malware campaign running through Steam Workshop since late 2025. The attack targets users of Wallpaper Engine, a desktop customization app with nearly a million reviews on Steam, and has already reached thousands of people across multiple countries.
What Is Wallpaper Engine and Why Is It a Target?
Wallpaper Engine lets Windows users set animated backgrounds on their desktops. It supports four types of wallpapers: videos, interactive scenes, web pages, and application wallpapers. That last type is the problem.
Application wallpapers are actual Windows programs running in the background. They can be anything from mini-games to system monitors. Because they run as executable software, they can also carry malware. Kaspersky says attackers figured this out and started using the feature to drop malicious payloads directly onto users’ desktops.
Steam Workshop, the platform’s built-in content sharing system, allows anyone to upload and publish wallpapers for free. There is no requirement for account age or review history. That open access made it easy for attackers to upload infected content and let unsuspecting users install it.
Dozens of Infected Wallpapers, Tens of Thousands of Downloads
Kaspersky researchers found dozens of malicious wallpaper packages on Steam Workshop. According to their report, many of these had already been downloaded thousands of times, with some reaching tens of thousands of installs before being identified.
The malware was hidden in two ways. In some packages, infected executables, DLLs, or scripts were bundled directly alongside the wallpaper files. In other cases, attackers concealed the payload inside password-protected archives. The password was either embedded in the archive name or stored in a JSON config file that came with the wallpaper. Either way, the payload ran automatically the moment a user applied the wallpaper.
What Happens When You Install an Infected Wallpaper
Kaspersky tested one wallpaper posing as a game called NTRaholic. The game launched normally and showed no signs of anything wrong. Behind the scenes, the wallpaper dropped a backdoor file named Synaptics.exe, part of the DarkKomet malware family. A second executable then installed a custom version of a system library called AggregatorHost.dll. That library had one job, which is to find the Steam app on the computer and steal account credentials. Once it located an active Steam session, it hijacked it and sent the stolen data to attacker-controlled servers.
That was just one example. Kaspersky’s research turned up several other malware families distributed through the same method, including the Lumma and Vidar infostealers, crypto miners, botnet loaders, the RenEngine loader, and ransomware strains. Because the variety of tools was so wide, Kaspersky suspects multiple independent threat actors were using Wallpaper Engine at the same time rather than a single coordinated group.
In some cases, once attackers gained control of a victim’s Steam account, they used it to upload more malicious wallpapers to the Workshop, continuing the cycle.
Anyone who thinks they may have already installed an infected wallpaper should run a full malware scan immediately. Changing passwords for Steam, email, and any linked payment services is also advisable.
