By Jason Nelson
2 min read
In the report published on Monday, Kaspersky said attackers used Steam Workshop to distribute malicious Wallpaper Engine downloads disguised as animated desktop wallpapers, many featuring female anime characters.
“The application-based wallpaper feature allows executable programs to run directly on a user's Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content,” Kaspersky said, adding that it had identified dozens of infected wallpaper packages available through Steam Workshop.
Kaspersky also identified wallpaper distributing Lumma and Vidar infostealers, malware families commonly used to steal credentials, browser data, and cryptocurrency wallet information, alongside the RenEngine loader. Researchers said the activity appeared to involve multiple threat actors rather than a single group.
“Many of these packages had thousands or even tens of thousands of downloads,” the firm said.
According to Kaspersky, victims of the malware campaign were primarily in China and Russia, though infections were also seen in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
The malicious wallpapers either bundled malware directly or hid it inside password-protected archives that unpacked after installation, the company said, noting a 2025 case where a wallpaper appeared to launch a legitimate desktop game while secretly installing the DarkKomet backdoor.
"Trusted platforms can be abused to distribute malware: The attacks rely on users trusting content hosted within legitimate ecosystems,” Kaspersky researcher Maxim Starodubov said in a statement. “While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content."
The findings add to a growing list of Steam-related malware incidents.
In July 2025, researchers with cybersecurity firm Prodaft reported that the Steam Early Access game Chemia had been compromised to distribute Hijack Loader, Fickle Stealer, and Vidar Stealer malware targeting cryptocurrency wallets and user data. In March, the FBI announced an investigation into malware distributed through several Steam games, including Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova.
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.