Kaspersky cybersecurity researchers have recently discovered a malware campaign exploiting the Steam Workshop for Wallpaper Engine, a popular and highly trusted game in Steam’s community ecosystem. It is important to note that neither Wallpaper Engine itself has not been compromised, nor has the Steam marketplace as a whole. Rather, malicious software has been uploaded to the game’s Workshop for user’s to voluntarily download. The current risk to users interacting with Wallpaper Engine comes from a supply-chain attack, targeting Steam’s weaker user-generated content system.
Wallpaper Engine was a good entry point for malicious actors to exploit for a few reasons. Wallpaper Engine is one of Steam’s most popular applications, with the marketplace’s data showing it has an enormous player-base of potentially millions of owners and thousands of users who interact with it daily. It also have an equally large user-based content economy, with hundreds of thousands of wallpapers being provided by users through Steam Workshop. These two elements, combined with the natural trust users place in Steam Workshop’s safety, have made it an attractive place for malware distributors to operate. Wallpaper Engine’s Workshop has given them access to countless potential victims who would easily download their malware due to a high-trust context.
Before panic sets in, there are some technicalities with this situation that should be addressed. Wallpaper Engine supports a lot of different types of wallpaper, the main four types being video wallpapers, scene wallpapers, web wallpapers, and application wallpapers. the supermajority of these wallpapers are harmless, being unable to “carry” malware of any kind. Malicious actors on the Workshop are creating application-type wallpapers because they can run legitimate code, thing likes EXEs, DLLs, and other scripts. While researchers emphasized that only advanced interactive wallpapers had the capability to run code, they also acknowledged that it created an opportunity for malicious applications to be uploaded and for abuse to occur.
Kaspersky researchers have also observed multiple types of infection methods being used by these malicious actors. Malware being bundled directly with the wallpaper package is one such method, meaning launching the wallpaper also starts up the malware alongside it. Password-protected archives inside the wallpaper package have also been used, either to help avoid auto-scanning or to trick victims into extracting or opening malicious files. There has also been used of compromised executables, where files are replaced and/or bundled and silently install malware. Most of the malware being used by attackers belong to information-stealing families (like Lumma Stealer, Vidar Stealer, and RenEngine loader), but backdoor software, ransomware, and crypto miners have also been reported. Kaspersky stated that the malware campaign focuses on stealing Steam accounts & other credentials, installing persistent backdoors, and delivering malware.
Reportedly, this malicious malware campaign has been going on since late 2025, and has been slowly continuing over time rather than appearing all at once. Geographic data shows that most infections have been occurring in China and Russia, with the closest victims living in Canada. The researchers do note that the techniques these victims fell to are not geographically limited, and could be used against anyone with Wallpaper Engine and a favorable opinion of Workshop content. After the Kaspersky report was published, Valve took quick action an removed identified malefactors and their wallpapers from Steam Workshop. However, researchers have caution that new malicious uploads will continue to appear, and the caution should be exercised by users going forward.
Wallpaper Engine itself remains safe and quick action against this campaign was taken, but a broader security lesson should be learned. Platform trust and user assumptions were exploited here, not software vulnerabilities. Going forward, users will need to exercise more caution.