330/69 Thursday, June 18, 2026
Security researchers have uncovered a malware campaign leveraging Steam Workshop as a distribution channel for malicious files through wallpapers created for Wallpaper Engine. The attackers abuse the platform’s application wallpapers feature, a wallpaper type that allows Windows applications to run as wallpapers. As a result, seemingly harmless wallpaper files can be used to execute malicious code on a user’s system.
According to the report, malware is either embedded directly within the wallpaper package or concealed inside password-protected archive files that trick users into extracting and executing their contents. Once installed, the malicious payload executes automatically and may lead to Steam account theft, backdoor installation, cryptocurrency mining, or the deployment of additional malware. Researchers identified several malware families associated with the campaign, including DarkKomet, Lumma, Vidar, cryptocurrency miners, botnet loaders, RanEngine, and various ransomware strains.
Although Steam has removed the identified malicious wallpapers from the platform, attackers may continue uploading new malicious content. Users are advised to download wallpapers and Workshop content only from trusted creators, avoid installing application wallpapers from unknown sources, and scan files downloaded from Steam Workshop using up-to-date anti-malware software before use. These precautions can help reduce the risk of malware infection and account compromise.