Overview
- Kaspersky published its findings in mid‑June after analyzing dozens of malicious application‑type wallpapers that had been uploaded to Steam Workshop and downloaded thousands or tens of thousands of times.
- The threat works because Wallpaper Engine supports 'application' wallpapers that run as Windows executables, allowing attacker‑supplied code to launch when a user applies a wallpaper.
- Analysts found multiple malware families distributed this way, including the DarkKomet backdoor, modified AggregatorHost.dll modules used to steal Steam sessions, Lumma and Vidar infostealers, cryptominers, botnet loaders, and ransomware.
- After Kaspersky reported the samples to Valve, Steam removed the specific flagged Workshop items but researchers warn new malicious uploads will likely reappear because the Workshop is user‑driven and hard to police.
- Users should scan Workshop downloads with up‑to‑date antivirus, avoid untrusted creators, check community feedback before installing application wallpapers, and change credentials if they suspect compromise.