Overview
- Kaspersky published a report on June 16, 2026, saying researchers found dozens of malicious Wallpaper Engine 'application' wallpapers on Steam Workshop that had been downloaded thousands to tens of thousands of times.
- The attack uses Wallpaper Engine’s application wallpapers, which are Windows executables that run as desktop backgrounds, to drop payloads that run automatically when a user applies the wallpaper.
- Analyzed samples installed a range of malware, including a DarkKomet backdoor that used a modified AggregatorHost.dll to search for and exfiltrate Steam credentials, plus infostealers, loaders, ransomware and crypto miners.
- Valve removed the specific wallpapers Kaspersky identified after being notified, but researchers warn the vector remains active because anyone can publish application wallpapers and new malicious uploads are likely to recur.
- Kaspersky published MD5 hashes, C2 URLs and other IOCs and recommends scanning Workshop downloads with up-to-date antivirus, only using trusted creators, restricting execution of untrusted binaries, and watching Steam account activity for signs of hijack.