www.it-connect.fr
Steam Warning: Animated Wallpapers Used to Deploy Infostealers and Ransomware
Animated wallpapers distributed via the Steam Workshop have been used by cybercriminals to spread malware across thousands of machines. A Kaspersky report dated June 16, 2026, describes this campaign based on the Wallpaper Engine application.
A Legitimate Feature Turned Into an Infection Vector
Among the games and tools available on Steam, there is Wallpaper Engine, an application that lets users use animated wallpapers on a computer. Pretty cool, some would say. Maybe, unless the wallpaper comes with malware capable of stealing your credentials.
A new report published by Kaspersky reveals a campaign carried out through the Steam Workshop. Directly integrated into Valve's platform, this online marketplace makes it easy to find, install, and manage community content. It includes mods, maps, items, and even wallpapers.
This last type of content is the one being directly abused by hackers. But this is not just any wallpaper: it is an app wallpaper that can be activated on a PC using the Wallpaper Engine tool (available in the Steam store). Wallpaper Engine supports several wallpaper formats: videos, interactive scenes, web pages, and applications.
It allows programs to run directly on the victim's Windows machine (including DLL libraries), which opens up very interesting possibilities for wallpapers. For attackers too, and that is exactly what happened. Kaspersky identified dozens of booby-trapped packages available through the Steam Workshop, some of which had thousands, even tens of thousands, of downloads!
The researchers observed two main methods used to infect machines:
- Executable files (EXE), libraries (DLL), and malicious scripts directly embedded in the wallpaper package.
- Malware hidden in password-protected archives, with the password itself placed in the archive name or in configuration files, so that scripts could automatically extract the payload.
In both cases, once the wallpaper is installed, the malware runs on Windows.
What Malware Is Being Distributed Through Steam Workshop?
First, it is important to know that the wallpapers are functional: the malicious activity is triggered in the background. The first malware detected was DarkKomet, a backdoor. It installed a modified library designed to target Steam users: it collected account information and hijacked active Steam sessions, making it possible to take over the account.
That is not all. According to Kaspersky, the campaign also involved infostealers such as Lumma and Vidar, as well as the RenEngine loader, along with cryptocurrency miners and ransomware. A real minefield.
"These attacks were likely carried out by several independent malicious actors rather than a single group, and were not limited to a single malware family," the Kaspersky researchers explain in their report.
As for the victims, users located in China and Russia were hit the hardest, with other victims identified in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. China alone would account for 89% of the detected malicious download attempts.
The takeaway: don't install animated wallpapers.
