Kaspersky’s Securelist published a research report on June 16, revealing that since late 2025, someone has been continuously publishing malicious wallpapers in the Steam Workshop for Wallpaper Engine. Dozens of infected samples have been discovered, each with thousands to tens of thousands of downloads. The Steam team has now removed the confirmed malicious wallpapers from the platform. The attackers exploited Wallpaper Engine’s “application-type wallpaper” feature——such wallpapers are essentially independently runnable Windows programs, with malicious code embedded inside. After installation, the payload executes automatically and silently, without affecting the wallpaper’s normal display at all. The main payloads discovered include the DarkKomet backdoor, the Lumma and Vidar information stealers, the RenEngine loader, as well as ransomware and cryptocurrency miners. Taking a sample disguised as a desktop mini-game as an example: after the wallpaper runs, it releases Synaptics.exe (from the DarkKomet family) in the background, while also replacing the system DLL AggregatorHost.dll to hijack the user’s active Steam session. It then exfiltrates account credentials back to the attacker’s server, using the stolen accounts to continue uploading more malicious wallpapers.
Regarding the geographic distribution of victims, among the malicious download requests blocked by Kaspersky’s systems, 89% came from China, with Russia ranking second at 5.5%, followed by Singapore (1.4 %), Hong Kong (0.9%), Germany (0.9%), and Vietnam (0.9%). The artistic style and titles of the wallpapers were customized for Chinese players. Based on this, researchers determined that the attack currently mainly targets Chinese users, but believe the attackers could replicate the same method for other regions at any time. Because the malicious tools in use are highly diverse, researchers infer that this is not the work of a single hacker group, but rather multiple independent gangs exploiting the same channel to spread malware simultaneously. Kaspersky recommends antivirus scanning of any Wallpaper Engine Workshop wallpaper before applying it, and advises against fully relying on the platform’s review mechanism.