Dozens of Wallpaper Engine packages on Steam Workshop have been dropping malware since late 2025, with each malicious wallpaper downloaded thousands or even tens of thousands of times before Valve stepped in.
That finding comes from Kaspersky, who published their analysis this week. The attackers didn't need zero-days or sophisticated exploits. They used a feature that is documented and intended: Wallpaper Engine supports "application" wallpapers, which are full Windows executables that run as your desktop background. Install one of these wallpapers, and the code runs immediately.
Application Wallpapers Are Executables, Not Just Images
Wallpaper Engine, a Steam app with nearly a million reviews, supports four wallpaper types. The dangerous one is "application" - it wraps any Windows executable, from games to system monitors. Kaspersky found malicious versions of these application wallpapers that either bundle the payload directly or hide it inside password-protected archives. The user gets tricked into opening the archive by a promise of content, and then the payload fires on installation.
One sample posed as a game called NTRaholic. It launched a legit-looking game to keep the user distracted while a DarkKomet backdoor installed itself in the background. A custom DLL named 'AggregatorHost.dll' also dropped, tasked with hunting for Steam account credentials on the box.
Multiple Malware Families, One Attack Surface
Kaspersky found the Lumma and Vidar infostealers alongside DarkKomet, plus cryptocurrency miners, botnet loaders, RanEngine ransomware, and even generic ransomware strains. This wasn't a single attacker. Multiple threat actors abused the same vector, uploading different payloads through Steam Workshop.
Each malicious wallpaper racked up thousands of downloads before Valve removed them. But Kaspersky warns attackers will simply upload new ones. Scanning with an up-to-date antivirus is the recommended defense, but the root cause remains: Wallpaper Engine's application wallpaper type is a built-in execution mechanism that Steam Workshop trusts by default.
Valve removed the specific packages Kaspersky flagged. The question now is whether Valve will tighten the moderation pipeline for application wallpapers before the next wave hits.
Source: Steam Workshop abused to spread malware via Wallpaper Engine app
Domain: bleepingcomputer.com
Comments load interactively on the live page.