Kaspersky discovered a malware campaign targeting Steam users, revealing how cybercriminals are exploiting trusted gaming platforms to distribute malicious software disguised as desktop wallpapers. The campaign highlights the growing risks associated with downloading user-generated content without proper verification.
Kaspersky discovered a malware campaign targeting Steam users through infected wallpapers
Kaspersky researchers have uncovered an active malware distribution campaign that leverages Steam Workshop and Wallpaper Engine, one of Steam’s most popular applications for creating and sharing animated desktop wallpapers. The investigation found multiple infected wallpaper packages that had collectively attracted thousands of downloads, exposing users to malware capable of stealing gaming accounts and deploying additional malicious software.
According to the cybersecurity company, the campaign primarily targeted users in China and Russia, although infections were also identified in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. Researchers believe the attacks were designed to compromise Steam accounts while providing cybercriminals with broader access to infected systems.
Steam Workshop, an integrated feature of the Steam gaming platform, enables users to browse, install, and manage community-created content, including game modifications, maps, cosmetic items, and wallpapers. While the platform has become a popular hub for user-generated content, Kaspersky’s findings demonstrate how attackers can misuse legitimate services to spread malware.
The campaign specifically abused Wallpaper Engine, an application that supports a variety of wallpaper formats, including videos, interactive scenes, web pages, and executable applications. Because the software allows application-based wallpapers to run directly on Windows systems, attackers were able to disguise malicious programs as seemingly harmless desktop backgrounds.
Kaspersky identified dozens of compromised wallpaper packages uploaded to Steam Workshop, with several receiving thousands and, in some cases, tens of thousands of downloads before being detected. Researchers found two primary techniques used to deliver malicious payloads. In some wallpaper packages, attackers bundled executable files, malicious DLLs, and scripts directly with the wallpaper content. In other cases, malware was hidden inside password-protected archives, with the passwords concealed within archive names or configuration files. Once installed, the malicious code executed automatically in the background.
One notable example discovered in December 2025 initially appeared to function as intended by launching an embedded desktop game, giving users no indication that their systems had been compromised. Behind the scenes, however, the wallpaper deployed the DarkKomet backdoor while installing a modified software library designed specifically to target Steam users. The malware harvested account credentials and hijacked active Steam sessions, allowing attackers to gain unauthorized access to user accounts.
Researchers believe the campaign was not orchestrated by a single cybercriminal group. Instead, the attacks appear to have involved multiple independent threat actors using different malware families. Among the malicious software identified were the Lumma and Vidar information stealers, as well as the RenEngine loader, each commonly used to collect sensitive user data or facilitate additional malware infections.
Kaspersky discovered a malware campaign targeting Steam users at a time when attackers are increasingly exploiting trusted online platforms to distribute malicious content. By embedding malware within legitimate-looking downloads hosted inside recognised ecosystems, cybercriminals are able to bypass user suspicion and significantly expand the reach of their campaigns.
“Trusted platforms can be abused to distribute malware. The attacks rely on users trusting content hosted within legitimate ecosystems,” said Maxim Starodubov, a cybersecurity expert at Kaspersky. He noted that while many of the malware families involved are already well known within the cybersecurity community, the delivery method enables attackers to reach a much wider audience through seemingly harmless content.
Kaspersky confirmed that its security solutions detect and block all malware associated with the campaign. The company advises users to exercise caution when downloading applications or community-created content, even from trusted platforms such as Steam. It also recommends verifying the reputation of content creators before installation and using reliable cybersecurity software capable of identifying and blocking emerging threats.
The findings serve as another reminder that even reputable digital platforms can become targets for cybercriminal abuse. As gaming communities continue to rely heavily on user-generated content through services such as Steam Workshop and Wallpaper Engine, cybersecurity experts stress that users should remain vigilant and adopt safe downloading practices to reduce the risk of malware infections and account theft.