What the Wallpaper Engine Malware Campaign Is
The Wallpaper Engine malware campaign is a long-running attack where cybercriminals hide credential-stealing and backdoor malware inside community-made animated wallpapers, abusing Wallpaper Engine’s ability to run executable “application wallpapers” from Steam Workshop as full Windows programs the moment users apply them. Security researchers from Kaspersky and others report that malicious uploads have been circulating on Steam since late 2025, affecting tens of thousands of users and turning a popular customization app with around 20 million downloads into an accidental malware distribution platform. These poisoned wallpapers often look like harmless anime scenes or mini-games while quietly stealing Steam account data or dropping additional payloads in the background. The campaign does not exploit a vulnerability in Steam or Wallpaper Engine itself; instead, it weaponizes user trust in the Steam Workshop and the freedom it grants creators to ship executable content.
How Anime Wallpapers Hide Malware and Steal Steam Accounts
Attackers focus on anime wallpaper exploit packages because they attract clicks and look harmless. Many infected wallpapers feature anime-style art or interactive scenes, but inside the same package sit hidden .exe, .dll, and script files. When you apply the wallpaper, those executables run with normal Windows program privileges. Once running, the malware can harvest Steam credentials, hijack live sessions, and send the stolen data to attacker-controlled servers, leading to Steam account theft and potential further compromise of the system. According to Kaspersky, dozens of these malicious wallpapers each reached thousands to tens of thousands of downloads before removal. Some samples deployed known backdoors such as DarkKomet, while others delivered infostealers like Lumma or Vidar, loaders, crypto-miners, or ransomware. Because the visible wallpaper behaves as expected, most victims never realize their “cute” wallpaper doubles as a keylogger or backdoor.
The Executable Wallpaper Exploit: Archives, Scripts, and Hidden Payloads
The core of this attack is Wallpaper Engine’s Application Wallpaper feature, which allows community-developed executables such as games, system monitors, or planners to run as wallpapers. Criminals turned that flexibility into a malware distribution platform by bundling malicious code alongside the legitimate executable. One common technique is shipping the wallpaper in an archive that also holds extra .exe files, DLLs, or scripts. Often these archives are password-protected, with the password conveniently written in the filename to avoid user suspicion while still evading some scanners. When the wallpaper is launched, a script or launcher executable automatically extracts and runs the hidden payload. Researchers who tested a malicious anime mini-game reported that the game “ran flawlessly,” yet silently dropped a DarkKomet-family backdoor under the name Synaptics.exe and a malicious AggregatorHost.dll, proving how seamless and stealthy an executable wallpaper exploit can be.
How to Protect Your Steam Account from Wallpaper Engine Malware
Users do not need to abandon animated wallpapers, but they must stop treating every Steam Workshop item as safe. First, audit your Wallpaper Engine subscriptions and remove wallpapers you do not recognize, especially anime-themed executable wallpapers or anything that came in an archive with extra files. Avoid wallpapers that require external downloads or password-protected archives, and check creator profiles and comments for warnings or suspicious behavior. Enable a reliable antivirus and keep it active so it can scan new downloads and block known malware families delivered through these packages. Change your Steam password immediately if you have installed community-made application wallpapers, and enable Steam Guard or another form of two-factor authentication to limit damage from stolen credentials. Treat user-generated content as you would any software download: verify the source, watch for unusual behavior, and be ready to unsubscribe and delete anything that feels off.
