Malicious Wallpapers on Steam Workshop Deliver Backdoors, Crypto Miners to Gamers
Attackers are exploiting Wallpaper Engine's 'application wallpaper' feature on Steam Workshop to distribute malware, targeting gamers in China and Russia with backdoors, crypto miners, and account-stealing payloads.
Since late 2025, a sprawling malware campaign has been leveraging Steam Workshop, the popular content-sharing platform for Valve's gaming service, to infect gamers' computers. Researchers at Securelist have uncovered dozens of malicious wallpapers uploaded to the Workshop, each disguised as harmless animated backgrounds for Wallpaper Engine, a widely used live wallpaper application. The attackers are exploiting Wallpaper Engine's 'application wallpaper' type, which allows users to run standalone programs—such as mini-games or system widgets—directly on their desktop. By embedding malicious code into these packages, the attackers have turned a creative feature into a vector for account theft, cryptomining, and backdoor installation.
The campaign primarily targets gamers in China and Russia, with 89% of detected malicious download attempts originating in China and 5.5% in Russia. The infected wallpapers have been downloaded thousands to tens of thousands of times each, according to Securelist. The attackers use two main methods to hide their payloads: either including malicious executable files, DLLs, or scripts alongside the legitimate wallpaper files, or concealing the malware inside password-protected archives. In the latter case, the password is often embedded in the archive's filename or a JSON configuration file, allowing automated extraction when the wallpaper is applied.
One sample analyzed by Securelist, discovered in December 2025, masquerades as a functional game wallpaper. When launched, it appears to run a harmless game called NTRaholic, but behind the scenes it drops a backdoor named Synaptics.exe, part of the DarkKomet malware family. Simultaneously, a module called ._cache_GAME1.exe installs a modified system library, AggregatorHost.dll, which is designed to locate the Steam application on the victim's computer and hijack the active Steam session. The stolen session data is then exfiltrated to a command-and-control server at hxxp://120.48.156[.]17/ey.php.
Once attackers gain control of a victim's Steam session, they can use the compromised account to upload additional malicious wallpapers to the Workshop, perpetuating the infection cycle. Beyond account theft, the campaign distributes a wide range of malware, including infostealers, backdoors, crypto miners, and botnet loaders. The diversity of payloads suggests that multiple independent threat actors are exploiting the same technique, rather than a single coordinated group.
The attack exploits a fundamental design choice in Wallpaper Engine: the ability to run arbitrary Windows applications as desktop backgrounds. While the app has built-in safeguards—such as warning users when an application wallpaper is being applied—the sheer volume of user-generated content on Steam Workshop makes manual moderation impractical. Valve has not yet publicly commented on the campaign, but users are advised to avoid downloading application-type wallpapers from untrusted sources and to scrutinize any wallpaper that requests unusual permissions or includes password-protected archives.
This incident highlights a growing trend of attackers abusing legitimate content-sharing platforms to distribute malware. Similar campaigns have targeted users through malicious browser extensions, npm packages, and GitHub repositories. For gamers, the Steam Workshop represents a trusted ecosystem, making it an attractive target for adversaries seeking to compromise high-value accounts. As the gaming community continues to grow, platform operators and users alike must remain vigilant against increasingly sophisticated social engineering and supply-chain attacks.