Cybersecurity firm Kaspersky has uncovered malicious software embedded in certain Wallpaper Engine content distributed via the Steam Workshop. According to a report released by the company on Monday, attackers are disguising files—many appearing as animated desktop wallpapers—to steal Steam account credentials, hijack active sessions, and install additional malware on users’ systems.
Malicious content spread through Steam Workshop
The report details that these harmful files are often disguised as animated wallpapers featuring female anime characters. Kaspersky notes that Wallpaper Engine’s application-based feature for desktop wallpapers on Windows allows executable programs to run directly, which creates an opportunity for attackers to distribute malware under the guise of legitimate content.
Kaspersky revealed that dozens of compromised wallpaper packs have been identified on Steam Workshop, some of which have been downloaded thousands—even tens of thousands—of times.
According to the firm, while some wallpapers contain malware directly, others hide it within password-protected archives, which are extracted after installation. In one case detected in 2025, a wallpaper masqueraded as a launcher for a legitimate desktop game, but secretly installed the backdoor known as DarkKomet.
Account credentials and crypto wallets in the crosshairs
The investigation found that along with prominent infostealer malware families like Lumma and Vidar, attackers also leveraged the RenEngine loader. These programs are typically used to harvest usernames, passwords, browser data, and even cryptocurrency wallet credentials. Kaspersky researchers believe that more than one threat actor is likely behind the campaign, rather than a single group.
Mini glossary: An infostealer is a type of malware designed to collect sensitive information like login credentials, browser records, and digital wallet data from a computer. Lumma and Vidar are two of the most commonly known malware families in this domain.
Data from Kaspersky indicates that most victims are located in China and Russia, though infections have also been recorded in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
Surge in cases linked to Steam
Kaspersky researcher Maxim Starodubov attributes the effectiveness of these attacks to users’ trust in content hosted on reputable platforms. While many of the malware families used are not new, Starodubov explains that the attackers’ method of delivering them through seemingly harmless content enables wider reach among users.
Starodubov emphasized that even trusted platforms can be exploited, noting that attackers leverage the confidence users have in legitimate ecosystems to reach vast numbers of potential victims.
The findings suggest a growing trend of similar incidents linked to Steam. In July 2025, cybersecurity company Prodaft reported that the game Chemia, under Steam Early Access, was misused to spread Hijack Loader, Fickle Stealer, and Vidar Stealer. Earlier in March, the FBI had announced an investigation into malware campaigns propagated via games such as Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova on Steam.
Additionally, a separate study highlighted in the same source draws attention to sophisticated, AI-powered computer worms capable of autonomously spreading across networks. Researchers from the University of Toronto, the Vector Institute, Cambridge University, and ServiceNow described a conceptual AI worm that can identify vulnerabilities, adapt its attack strategy, and replicate itself across systems.
