Do Son 
How the malware deploys | Image: Kaspersky Labs
At a Glance
- Malware Family: Various (DarkKomet, infostealers, crypto miners)
- Threat Actor: Suspected multiple independent hacking groups
- Targets: Gamers (primarily in China and Russia)
- Delivery Vector: Steam Workshop via Wallpaper Engine application
- Key Capabilities: Session hijacking, credential theft, ransomware, cryptomining
- Source: Kaspersky Labs
TL;DR
Hackers are exploiting the Steam Workshop to distribute malicious Steam wallpapers. They use the popular Wallpaper Engine application to hide malware inside custom desktop backgrounds. This campaign allows attackers to steal account credentials, deploy ransomware, and install crypto miners.
Delivery
Since late 2025, attackers have targeted gamers using the Wallpaper Engine app. This app allows users to create and share custom animated backgrounds on the Steam Workshop. The application supports application wallpapers, which function as standalone Windows programs. Cybercriminals embed malicious code directly into these executable wallpapers. They package the malware alongside the legitimate executable or hide it inside a password-protected archive. The attackers leave the password in the file name or a JSON configuration file. Each malicious package has recorded thousands of downloads.
Infection Chain
Users trigger the infection by applying the compromised wallpaper. In one specific example, a game wallpaper drops a backdoor file from the DarkKomet malware family. At the same time, the game executable launches the visual desktop application. This executable also installs a modified system library called AggregatorHost.dll. The modified library searches the infected computer for the Steam application. Once found, the payload hunts for saved account credentials and hijacks the user’s active session. Attackers then use the stolen session to distribute more malicious Steam wallpapers from the victim’s account.
Command-and-Control and Data Exfiltration
The patched DLL module acts as the primary data extraction tool. After grabbing the session data, the library sends the collected information to an external command-and-control server. Researchers suspect multiple hacking groups operate these campaigns because the observed malware payloads vary greatly. The operators primarily target users in China, accounting for 89.4% of download attempts. Russian gamers account for the second-highest volume at 5.5%.
Defense and Detection Guidance
Gamers must exercise extreme caution when downloading application-type wallpapers from the Steam Workshop. You should avoid installing standalone executables disguised as desktop backgrounds. Users should enable multi-factor authentication on their gaming accounts to prevent unauthorized access. You can read the full report at Kaspersky’s advisory on malicious wallpapers for more technical details. Keep your antivirus software updated to block known infostealers and backdoors associated with these files.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
