- Kaspersky found Steam Workshop wallpapers that were the weapon for delivering malware via the Wallpaper Engine
- Dozens of malicious “application backgrounds” downloaded tens of thousands of times, spreading backdoors, info stealers, miners and ransomware
- Valve removed the infected uploads, but users warned that attackers could easily upload new ones again
Steam Workshop, a community platform built into Steam that allows users to share custom content, was used to infect players with malware, researchers have claimed.
For at least half a year, gamers who used the platform to download certain wallpapers got various malware, Kaspersky explained recently.
This campaign has been running since at least the end of 2025, Kaspersky said – with some sources noting that the majority of victims are in Russia and China.
Dozens of malicious wallpapers
Steam is a hugely popular digital distribution platform for PC games, developed by a company called Valve. Built into it is the Workshop, a community tool where players can share mods, maps, skins, wallpapers and other additions to games and applications.
Among other things, Steam Workshop allows players to use Wallpaper Engine, a desktop customization application that supports more than just “static” image backgrounds. With it, players can display videos, interactive animations and even entire applications as wallpaper.
And therein lies the problem – hackers have been using application backends as delivery mechanisms for various malware, including backdoors and cryptojackers.
“We discovered dozens of these malicious application backgrounds floating around the Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times,” Kaspersky said.
Looking deeper into the weaponized backgrounds, Kaspersky found that the malware is often either bundled in the package or delivered in a password-protected archive. The payload itself is executed automatically the moment the user installs the wallpaper, it said. In one example Kaspersky was served a backdoor and in another an info thief. Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine and even ransomware strains were all distributed this way.
Kaspersky only revealed its findings after Steam had identified and removed all the malicious wallpaper programs. However, users should proceed with caution as there is nothing preventing the threat actors from simply uploading new ones.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
