- Kaspersky found Steam Workshop wallpapers weaponized to distribute malware via Wallpaper Engine
- Dozens of malicious “app wallpapers” were downloaded tens of thousands of times, spreading backdoors, information stealers, miners and ransomware.
- Valve removed the infected uploads, but users warned that attackers could easily re-upload new ones.
Steam Workshop, a community platform built into Steam that allows users to share custom content, was being used to infect players with malware, researchers said.
For at least half a year, players who used the platform to download certain wallpapers were receiving various malware, Kaspersky recently explained.
This campaign has been underway since at least late 2025, Kaspersky said, with some sources noting that most of the victims are in Russia and China.
Dozens of malicious wallpapers
Steam is a very popular digital distribution platform for PC games, developed by a company called Valve. Integrated into it is Workshop, a community tool where players can share mods, maps, skins, wallpapers and other add-ons for games and apps.
Among other things, Steam Workshop allows players to use Wallpaper Engine, a desktop customization application that supports more than just “static” image wallpapers. With it, players can see videos, interactive animations and even entire applications displayed as wallpaper.
And that’s where the problem lies: hackers have been using app wallpapers as delivery mechanisms for different malware, including backdoors and cryptojackers.
“We discovered dozens of these malicious app wallpapers floating around the Steam Workshop, and each one of them had already been downloaded thousands – or even tens of thousands – of times,” Kaspersky said.
Taking a deeper look at weaponized wallpapers, Kaspersky discovered that the malware is often bundled or delivered within a password-protected file. The payload itself was said to run automatically the moment the user installs the wallpaper. In one example, Kaspersky received a backdoor, and in another, a data thief. Lumma and Vidar information stealers, cryptocurrency miners, botnet uploaders, RanEngine, and even ransomware strains were distributed this way.
Kaspersky revealed its findings only after Steam identified and removed all malicious wallpaper apps. However, users should approach it with caution, because there is nothing stopping threat actors from simply uploading new ones.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
