- Kaspersky found Steam Workshop wallpapers weaponized to deliver malware via Wallpaper Engine
- Dozens of malicious “application wallpapers” downloaded tens of thousands of times, spreading backdoors, infostealers, miners, and ransomware
- Valve removed the infected uploads, but users warned attackers could easily re‑upload new ones
Steam Workshop, a community platform built into Steam that allows users to share custom content, was being used to infect gamers with malware, researchers have claimed.
For at least half a year, gamers that used the platform to download certain wallpapers were being served various malware, Kaspersky recently explained.
This campaign has been running since at least late 2025, Kaspersky said - with some sources noting the majority of the victims are in Russia and China.
Dozens of malicious wallpapers
Steam is a hugely popular digital distribution platform for PC games, developed by a company called Valve. Baked into it is Workshop, a community tool where gamers can share mods, maps, skins, wallpapers, and other add-ons for games and applications.
Among other things, Steam Workshop allows gamers to use Wallpaper Engine, a desktop customization application that supports more than just “static” image wallpapers. With it, gamers can have videos, interactive animations, and even entire applications, displayed as a wallpaper.
And that is where the problem lies - hackers have been using application wallpapers as delivery mechanisms for different malware, including backdoors and cryptojackers.
"We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times," Kaspersky said.
Looking deeper into the weaponized wallpapers, Kaspersky found that the malware is often either bundled in the package, or delivered inside a password-protected archive. The payload itself gets executed automatically the moment the user installs the wallpaper, it was said. In one example, Kaspersky was served a backdoor, and in another, an infostealer. Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains, were all being distributed this way.
Kaspersky disclosed its findings only after Steam identified and removed all of the malicious wallpaper applications. However, users should approach with caution, because there’s nothing stopping the threat actors from simply uploading new ones.
Via BleepingComputer
