Cybersecurity company Kaspersky announced that it detected malware in some Wallpaper Engine content spread through Steam Workshop. According to the company’s report published on Monday, attackers aimed to capture users’ Steam account information, take over active sessions, and install additional malware by using files that look like animated desktop wallpapers.
It was reported that it was distributed via Steam Workshop
The report stated that harmful content was shown, especially animated wallpapers themed around female anime characters. Kaspersky reported that Wallpaper Engine’s application-based wallpaper feature allows executable programs to be directly activated on Windows computers, which opens up space for attackers to distribute malware under the guise of legitimate content.
Kaspersky announced that dozens of infected wallpaper packages were detected on Steam Workshop, and some of these packages were downloaded thousands or even tens of thousands of times.
According to the company, some wallpapers contained the malware directly, while others hid it in password-protected archives. It was stated that these files were opened after installation. Kaspersky stated that in an example detected in 2025, a wallpaper appeared to the user as if he was launching a legitimate desktop game, while in the background it loaded the DarkKomet backdoor.
The target contained account information and wallet data
It was stated that in addition to information-stealing malware families such as Lumma and Vidar, the RenEngine installer was also used in the research. It is known that these software are generally used to collect username and password information, browser data and cryptocurrency wallet information. Kaspersky researchers assessed that the activity pointed to multiple threat actors rather than a single group.
Mini dictionary: Infostealer refers to a type of malware designed to collect sensitive information on the computer, such as login information, browser logs and digital wallet data. Lumma and Vidar are two different malware families that are frequently mentioned in this field.
According to Kaspersky data, the majority of the victims were found in China and Russia. However, cases of transmission were also observed in Singapore, Hong Kong, Germany, Vietnam, India and Canada.
The number of Steam-related cases is increasing
Kaspersky researcher Maxim Starodubov said that the basis of the attacks lies in users’ trust in content on reliable platforms. According to the researcher, many of the malware families used have been known for a long time, but the distribution method makes it easier for attackers to reach a wide range of users through seemingly harmless content.
Maxim Starodubov stated that reliable platforms can also be abused, attacks take advantage of the trust in content hosted within legitimate ecosystems, and thanks to this method, attackers can reach a large number of potential users.
The findings indicate that similar Steam-related incidents have increased recently. In July 2025, cybersecurity company Prodaft reported that the Chemia game within Steam Early Access was misused to distribute Hijack Loader, Fickle Stealer and Vidar Stealer. In March, the FBI announced that it had launched an investigation into malware spread through various Steam games, including Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara and Tokenova.
A separate study in the same text drew attention to artificial intelligence-supported, adaptive computer worms that can spread on their own within the network. In the study prepared by researchers from the University of Toronto, Vector Institute, University of Cambridge and ServiceNow, a conceptual artificial intelligence worm that can detect security vulnerabilities, create an attack path according to the target and replicate itself throughout the network was defined.
