Key facts
- Malicious Wallpaper Engine downloads were found on Steam Workshop, disguised as anime-themed wallpapers.
- The malware steals Steam credentials and hijacks active gaming sessions.
- Payloads deployed include Lumma and Vidar infostealers, targeting cryptocurrency wallet information.
- Attackers exploited the Wallpaper Engine's ability to run executable programs.
- Dozens of infected wallpaper packages were identified, some with tens of thousands of downloads.
- Victims were primarily located in China and Russia.
Cybersecurity firm Kaspersky has uncovered a campaign where attackers are using Steam's Workshop to distribute malicious software disguised as animated desktop wallpapers, many featuring anime characters. These downloads, primarily for the Wallpaper Engine application, allow executable programs to run directly on a user's Windows computer, enabling the distribution of malware.
The discovered malware packages not only steal Steam credentials and hijack active gaming sessions but also deploy additional payloads, including well-known infostealers like Lumma and Vidar. These infostealers are designed to pilfer credentials, browser data, and cryptocurrency wallet information. Researchers noted that the activity appears to involve multiple threat actors rather than a single entity, with many of the infected wallpaper packages accumulating thousands, and in some cases, tens of thousands of downloads.
Victims of this campaign were predominantly located in China and Russia, though infections were also reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. The malicious wallpapers were delivered either by bundling malware directly or by hiding it within password-protected archives that would unpack after installation. Kaspersky highlighted a 2025 case where a wallpaper secretly installed the DarkKomet backdoor while appearing to launch a legitimate desktop game.
This incident adds to a growing list of malware threats targeting the Steam platform and its users. Previous reports include a July 2025 incident where the Steam Early Access game Chemia was compromised to distribute malware targeting cryptocurrency wallets, and an FBI investigation into malware distributed through several other Steam games in March.