Kaspersky finds malware hidden in Steam Wallpaper Engine that hijacks accounts to spread itself — dozens of malicious packages downloaded tens of thousands of times

(Image credit: Valve)

Attackers have spent the past several months smuggling malware into Steam through animated desktop wallpapers, hijacking the accounts of victims who install them and then using those stolen accounts to upload more infected files. That’s according to Kaspersky researchers Maxim Starodubov and Denis Brylev, who recently authored a report published on Securelist. Per the report, the malware campaign has been running since late last year and focuses on gamers in China, pushing everything from credential stealers to crypto miners and ransomware. Kaspersky found dozens of malicious packages, some downloaded tens of thousands of times before removal.The culprit is Wallpaper Engine, a $4.99 live wallpaper tool that ranks among Steam's most-used non-game titles, with 93,000 to 114,000 concurrent users and nearly a million reviews. The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.Kaspersky observed two delivery methods. In some packages, the malicious EXE files, DLLs, or scripts sat directly alongside the legitimate wallpaper files. In others, the payload was tucked inside a password-protected archive, with the password either embedded in the archive name or in a JSON config file, allowing a script to open it automatically. Applying the wallpaper triggered the payload.In a sample examined last December, the researchers managed to boot a functional desktop game while discreetly dropping a DarkKomet backdoor named Synaptics.exe and a tampered system library, AggregatorHost.dll. That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server. Control of an active session lets the attackers post fresh malicious wallpapers under the victim's name, which is why the campaign keeps regenerating after takedowns.Kaspersky placed 89% of malicious download attempts in China, followed by Russia at 5.5% and smaller shares in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. That concentration aligns with the wider Wallpaper Engine user base, which skews heavily toward China. Payloads spanned the DarkKomet backdoor, the Lumma and Vidar infostealers, the RenEngine loader, miners, and ransomware, a spread the researchers attributed to multiple independent groups piling onto the same technique rather than a lone threat actor or group.This follows a run of malware reaching players through Valve's storefront over the past few years. A compromised Slay the Spire mod was distributed through the Workshop on Christmas Day 2023, the Chemia Early Access game shipped with three malware strains in July last year, and the BlockBlasters title drained roughly $150,000 from players in the following September. As of March, the FBI was seeking victims of infected Steam games dating back to 2024.