


























Threat actors have been abusing Valve’s Steam Workshop since late 2025, embedding malware inside Wallpaper Engine application wallpapers to hijack active Steam sessions and infect victims with backdoors, infostealers, and crypto miners, with 89% of targets located in China, according to a new Kaspersky report.
Wallpaper Engine is a hugely popular Steam application that lets users set animated, interactive wallpapers on their Windows desktops. With nearly one million reviews and approximately 100,000 daily active users, it presents an enormous attack surface.
The app supports several wallpaper types, videos, scenes, web pages, and application wallpapers, and that last category is what attackers zeroed in on. Application wallpapers are essentially standalone executables that run as the user’s desktop background, meaning launching one is no different from running an arbitrary program on your system.
Since anyone can publish content to Steam Workshop for free, attackers simply uploaded weaponized wallpapers disguised as games, widgets, and desktop tools. Kaspersky researchers discovered dozens of such malicious wallpapers, each already downloaded thousands — or even tens of thousands of times before detection.
Attackers used two primary distribution methods. In the first, the wallpaper archive bundled malicious executables, DLLs, or scripts alongside the visible application.
In the second, malware was concealed inside a password-protected archive; either the victim was tricked into entering the password manually, or a script extracted it automatically from the archive’s filename or a bundled JSON configuration file.
Once a victim launches the infected wallpaper, the attack executes silently and immediately. The wallpaper drops Synaptics.exe, a backdoor belonging to the DarkKomet remote access trojan family, into C:\ProgramData\Synaptics\.

Simultaneously, a secondary executable named ._cache_GAME1.exe launches to load the visible game (NTRaholic) — maintaining the illusion of a legitimate wallpaper while installing a patched version of AggregatorHost.dll loaded with a malicious payload.
This tampered system library then hunts for the Steam client on the host machine and hijacks the user’s active session. Stolen session data is subsequently exfiltrated to an attacker-controlled command-and-control server at hxxp://120.48.156[.]17/ey.php.
With a live session captured, the attackers gain full account access and can upload additional malicious wallpapers directly to Steam Workshop, perpetuating the infection cycle.
Beyond DarkKomet, Kaspersky’s investigation identified a wide range of payloads including Lumma and Vidar infostealers, the RenEngine loader, ransomware droppers, and botnet loaders.
The diversity of tools suggests multiple independent threat groups are leveraging the same technique rather than a single coordinated actor. Key Kaspersky detection verdicts include:
HEUR:Trojan-PSW.Win32.genHEUR:Backdoor.Win32.DarkKometTrojan-Dropper.Python.AgentHEUR:Trojan-Ransom.Win32.Gen.genPDM:Trojan.Win32.GenericChina accounts for 89% of malicious download attempts, with wallpaper art styles and titles explicitly tailored to Chinese-speaking users. Russia follows at 5.5%, with Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%) rounding out the victim pool. Researchers warn the campaign’s template could easily be redirected at any global audience.
Valve has removed all identified malicious wallpapers following Kaspersky’s disclosure, but researchers stress that new uploads continue to appear. Users should:
Synaptics.exe or unsigned DLLs loading from ProgramDataSince Steam Workshop lacks per-upload code review, the platform’s trust model remains exploitable — and the burden of verification falls squarely on the end user.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。