Cybercriminals are once again showing how even familiar platforms can be abused when users are not careful. This time, researchers from Kaspersky have uncovered an ongoing malware campaign that makes use of Steam Workshop and Wallpaper Engine to distribute malicious files disguised as downloadable wallpapers.
The main goal of the campaign appears to be stealing Steam accounts, but that is not the only risk. According to Kaspersky, some of the malicious wallpapers are also being used to deliver additional malware onto affected Windows systems.
How Steam Workshop And Wallpaper Engine Are Being Abused
Steam Workshop is widely used by the gaming community to download and share user-created content. Depending on the game or app, this can include mods, maps, cosmetic items, custom assets, and other community-made add-ons.
Wallpaper Engine, meanwhile, is a popular Steam application that allows users to customise their desktop with animated wallpapers, videos, webpages, and interactive backgrounds. It is one of those apps that many PC users trust because it is convenient, creative, and integrated directly into Steam.
That trust is exactly what attackers are trying to exploit. Instead of distributing malware through suspicious websites or random downloads, they are hiding it inside wallpaper packages shared through a platform that many users already feel comfortable using.
Thousands Of Downloads Reported
Kaspersky says its researchers found multiple malicious wallpaper packages that had already been downloaded thousands of times. Most of the affected users appear to be from China and Russia, although cases were also observed in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
This shows how quickly harmful content can spread when it is placed in a popular community marketplace. A wallpaper may look harmless on the surface, especially if it previews correctly and appears to function like any other animated background. However, once installed, the hidden malware can begin working quietly in the background.
Why Wallpaper Engine Can Be Targeted
The reason Wallpaper Engine is attractive to attackers is because it supports more than just simple image files. Some wallpapers can include interactive elements and components that run locally on the user's Windows PC.
That flexibility is part of what makes Wallpaper Engine powerful, but it also creates room for abuse. Kaspersky says attackers have been disguising malicious components inside wallpaper packages, making them appear like normal user-created content.
In some cases, the malware was bundled directly into the wallpaper package. In others, it was hidden inside protected archive files, with the required passwords stored in places that allowed the malicious content to be accessed during installation or loading.
For regular users, the danger is that everything may still look normal. The wallpaper can display properly, animate correctly, and appear to work as expected, while the malicious payload runs separately without obvious warning signs.
Steam Accounts Are A Major Target
One of the key objectives of the malware campaign is to steal Steam account information. Kaspersky reported that some infected wallpapers were designed to harvest account data and hijack active Steam sessions.
That is especially concerning because Steam accounts can hold real value. Many users have large game libraries, saved payment methods, valuable in-game items, marketplace balances, or rare cosmetics tied to their accounts. For attackers, compromising a Steam account can lead to resale, fraud, item theft, or further abuse.
In one example shared by Kaspersky, a wallpaper discovered in December 2025 appeared legitimate and worked normally. However, behind the scenes, it activated a backdoor and installed a modified library designed to collect Steam-related information.
Multiple Malware Families Involved
Kaspersky believes this is not necessarily the work of a single attacker group. Instead, the campaign may involve multiple independent actors using similar methods to take advantage of Steam Workshop and Wallpaper Engine.
Researchers identified several malware families linked to the campaign, including information stealers such as Lumma and Vidar, as well as the RenEngine loader. This suggests the campaign is broader than one isolated set of infected wallpapers.
It also means the impact can vary from one victim to another. Some users may have their Steam accounts targeted, while others may end up with additional malware installed on their system.
Some Content May Be Designed To Attract Risky Clicks
Kaspersky also noted that some infected wallpapers and mods appeared to include adult-themed content. The company did not confirm exactly why this pattern exists, but it is possible attackers are using this type of content because they believe it will attract more downloads.
This is a common tactic in malware distribution. Attackers often rely on curiosity, popular trends, or eye-catching content to convince users to download files without checking them properly.
It is a reminder that even when content is hosted on a platform people recognise, users should still be careful about what they install.
How Users Can Stay Safer
The safest approach is to treat user-generated downloads with some caution, even when they come from well-known platforms. Before downloading wallpapers, mods, or other community content, users should check the creator's reputation, reviews, upload history, and comments from other users.
It is also a good idea to avoid suspicious uploads, especially those that seem unusually new, overly vague, or too focused on attracting attention with questionable content.
Users should also keep their security software updated, enable Steam Guard, use strong and unique passwords, and be alert for unexpected account activity. If a Steam account suddenly logs out, sends strange messages, trades items without permission, or shows unfamiliar login attempts, it should be treated as a serious warning sign.
Trusted Platforms Still Need Caution
The campaign is a useful reminder that malware does not always come from obviously dangerous places. Attackers often go where users already are, and gaming platforms with large communities can become attractive targets.
Steam Workshop and Wallpaper Engine remain useful tools for PC gamers and desktop customisation fans, but this case shows why users should not blindly install every community-created item they come across.
As malware campaigns become more creative, the best defence is a mix of platform moderation, security tools, and user awareness. A wallpaper may seem like a simple visual upgrade, but if it comes from an untrusted source, it can become much more dangerous than it looks.
Comments