What Wallpaper Engine Malware Is and Why It Matters
Wallpaper Engine malware is malicious code hidden inside desktop wallpaper packages on Steam Workshop that uses Wallpaper Engine’s features to run executable files, steal Steam account data, and install stealthy backdoor trojans on users’ computers without obvious warning signs. Wallpaper Engine, a hugely popular customization app with around 20 million downloads, lets users apply animated and interactive wallpapers shared through Steam Workshop. Threat actors are exploiting this trusted ecosystem by uploading wallpapers that look like harmless anime scenes, mini‑games, or visual effects but secretly run hidden scripts. These scripts can retrieve and launch additional payloads, leading to Steam account theft, data exfiltration, crypto‑mining, or ransomware infections. Because the attack abuses user‑generated content rather than a flaw in Steam or Wallpaper Engine itself, it acts as a supply‑chain style attack that rides on top of a trusted, widely used platform to reach millions of potential victims.
How Malware Hides Inside Steam Wallpapers
Kaspersky researchers found that attackers are abusing Wallpaper Engine’s “application wallpaper” feature, which allows Workshop items to include .exe, .dll, and script files that run as soon as a wallpaper is applied. One sample from December 2025 launched what appeared to be a tiny desktop mini‑game while silently deploying the DarkKomet backdoor and collecting Steam session data in the background. In other cases, malicious wallpapers bundled password‑protected archives with the password written in the filename, a trick that makes hidden payloads easier to slip past casual inspection. According to Kaspersky, dozens of anime‑style wallpaper packages accumulated thousands to tens of thousands of downloads each before Valve removed them, and fresh uploads keep appearing. Many payloads are classic infostealers like Lumma and Vidar, along with loaders such as RenEngine, crypto‑miners, and even ransomware, all delivered under the guise of cosmetic customization.
From Cute Anime to Steam Account Theft and Backdoor Trojans
Once a malicious wallpaper runs, the chain of attack often begins with collecting Steam session data, cookies, and stored credentials so attackers can hijack accounts, sell them, or use them to spread more malware in friends’ lists and communities. Infostealers delivered through these wallpapers can also target browser passwords, saved logins for other gaming platforms, and cryptocurrency wallets. Meanwhile, backdoor trojans like DarkKomet give attackers ongoing access to the system, enabling them to install new payloads, spy on user activity, or run crypto‑miners and ransomware on demand. Importantly, Kaspersky notes that Wallpaper Engine itself is not compromised; the attackers rely on the open Workshop ecosystem and users’ “blind trust” in community content. This turns every compromised wallpaper into a small, hidden supply‑chain attack: a malicious executable dressed up as a colorful anime background that users install willingly on a platform they assume is safe.
Steam Workshop Security and the Bigger Supply-Chain Risk
This campaign shows how malware in wallpaper apps can exploit trust in user‑generated platforms far beyond a single app. Steam Workshop has long been a central hub where players download mods, maps, skins, and wallpapers from strangers whose code still runs on their systems. The recent Wallpaper Engine malware is not caused by a security bug in Steam; instead, it proves that any platform allowing executable content from the community can become an attack surface. Kaspersky reports multiple independent threat actors exploiting this vector, with most detected infections tied to a particular set of regions but with victims also spread across several others. The same pattern could threaten game mods, Discord bots, or browser extensions, where cosmetic or convenience features hide executables. An application wallpaper is, in practice, an executable wearing a pretty face, and every such file should be treated with the same caution as a standalone program download.
How to Protect Your Steam Account and PC from Wallpaper Malware
Users do not need to abandon Steam Workshop, but they must stop treating it like a fully curated app store. Before installing any wallpaper, check the creator’s profile, their history of uploads, and recent comments for signs of suspicious behavior. Avoid Workshop items that bundle extra .exe, .dll, or script files beyond what a wallpaper needs, and treat password‑protected archives as immediate red flags. According to Kaspersky, Microsoft Defender and other reputable security suites already detect many of the known malicious packages, so keep your antivirus enabled and updated. Enable Steam Guard, use a unique password, and log out of all sessions if anything feels off with your account. More broadly, apply the same discipline to any user‑generated executable content: if a wallpaper, mod, or plugin can run code, assume it can install backdoor trojans or steal data, and only trust sources with clear, long‑term reputations.
