Threat actors are abusing **Steam Workshop**, **Valve**'s community hub for downloading game-related content, to push various malware hidden in wallpaper packages. Infected wallpapers can lead to hijacking **Steam** accounts, compromising the system with a backdoor, or running cryptomining processes. **Steam Workshop** is a built-in content-sharing platform on **Valve**'s **Steam** gaming service where users can upload and download community-created content for games and applications. The content includes mods, maps, skins, save files, tools, and other user-generated content such as wallpapers. ### Malware in the Wallpaper In a recent report, researchers at cybersecurity company **Kaspersky** revealed that these attacks leverage the **Wallpaper Engine** desktop customization application available on **Steam**, which boasts nearly a million reviews. **Wallpaper Engine** supports four wallpaper types: videos, interactive scenes, web pages (which can play audio and video), and applications. The latter, application wallpapers, are executable Windows applications that can function as games, desktop widgets, or system monitoring tools. **Kaspersky** warns that this feature inherently presents a security risk and has been exploited to deliver malware to **Steam** users. According to the researchers, attackers have been taking advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the **Steam Workshop** and tricking users into installing them through **Wallpaper Engine**. "We discovered dozens of these malicious application wallpapers floating around **Steam Workshop**, and each one had already been downloaded thousands – or even tens of thousands – of times," **Kaspersky** noted.  *Malicious wallpaper application (Source: Kaspersky)* Analysis of compromised wallpapers revealed that the malware is bundled either directly in the package or inside password-protected archives that the user is tricked into opening. The payloads execute automatically the moment the user installs the wallpaper, the researchers say.  *Observed attack flow (Source: Kaspersky)* **Kaspersky** tested one of these wallpapers, masquerading as a game called **NTRaholic**, which launched as expected upon execution to reduce suspicion. However, a backdoor file, part of the **DarkKomet** malware family, was installed in the background. A custom version of a system library called `AggregatorHost.dll` was also installed to search for **Steam** accounts on the computer and steal credentials.  *Stealing Steam data (Source: Kaspersky)* The researchers found multiple cases involving other malware families, such as the **Lumma** and **Vidar** infostealers, cryptocurrency miners, botnet loaders, **RanEngine**, and even ransomware strains. This indicates that **Wallpaper Engine** is being abused by a diverse range of threat actors. While **Steam** has identified and removed all the malicious wallpaper applications that **Kaspersky** identified, researchers are warning that threat actors are likely to submit new ones. Apart from downloading content from trusted sources, **Kaspersky** recommends users to scan anything fetched from **Steam Workshop** using an up-to-date antivirus product.