Popular Steam wallpaper app hijacked to spread dangerous malware — how to stay safe

Any image you download online could contain malware. However, the hackers behind this campaign are leveraging an incredibly popular Steam app to do so instead. With 20 to 50 million installs according to SteamSpy, Wallpaper Engine is one of the most downloaded apps on the platform.

What makes Wallpaper Engine so popular, though, is that users can download hundreds of thousands of desktop wallpapers made by other users through Valve’s community hub, Steam Workshop. By abusing this feature, the hackers are easily able to disseminate their infected wallpapers.

Here’s everything you need to know about the latest malware threat on Steam and how you can keep your account — and your gaming PC — safe from hackers.

Malicious application wallpapers

For those unfamiliar, in addition to static wallpapers, Wallpaper Engine also supports four dynamic wallpaper types that can render videos, interactive scenes, webpages with audio and video, and applications. That last one is incredibly important in this campaign.

Unlike a JPEG or PNG file, Wallpaper Engine’s application wallpapers are full-on Windows executables that run like any other program on your PC. According to researchers at the cybersecurity firm Kaspersky, not only do they pose a built-in security risk, but they’re also currently being used by hackers to deliver malware to unsuspecting Steam users.

In a blog post, Kaspersky’s researchers explained how they discovered dozens of malicious application wallpapers on Steam Workshop, many of which had been downloaded thousands or even tens of thousands of times. By analyzing the application wallpapers in question, the researchers found that the malware is either bundled directly into their installation packages or hidden inside password-protected archives that users are then tricked into opening. Unfortunately, the damage is done immediately after one of these compromised wallpapers is installed.

After a user installs one such asset posing as a game called NTRaholic, the wallpaper launches as expected. However, in the process, a backdoor file belonging to the DarkKomet malware is also installed in the background. In order to search for and steal Steam credentials, a custom version of a system library called ‘AggregatorHost.dll’ is installed as well.

In addition to DarkKomet, Kaspersky’s researchers also found other malware families installed in these malicious wallpapers, like the Lumma and Vidar infostealers. They were even used to spread ransomware, too.

How to stay safe from malware

Fortunately, after Kaspersky alerted Valve about this campaign, all of the infected wallpapers in question were removed from the Steam Workshop. Still, this is an excellent reminder to always be careful when downloading files online, even if they come from a trusted platform.

In order to stay safe from any malware contained within desktop wallpapers, game mods, or games themselves, you definitely want to make sure your gaming PC is protected with the best antivirus software. If you want to be extra careful, you might also consider investing in one of the best identity theft protection services. That way, if your credentials are compromised as a result of what you download online, you have a safety net to help monitor your data and recover financial losses from fraud.

When in doubt, stick to trusted creators when downloading new wallpapers and be extra cautious before running any executable on your gaming PC. This likely won’t be the last time hackers target Steam in their attacks, but Valve has an excellent track record of quickly responding to and dealing with malicious activity on its platform.

More from Tom's Guide

• I just got hit by the Ultrahuman data breach — here's what hackers stole from my account
• Update your Nvidia GPU drivers now to protect your PC from 9 "high-severity" vulnerabilities — here's what's at risk
• I just tried Asus’ upgraded Xbox Ally X20 for ROG’s 20th anniversary — and it isn’t just another special edition handheld