Kaspersky researchers discovered over a dozen malicious application wallpapers on Steam Workshop that had already been downloaded tens of thousands of times, exploiting Wallpaper Engine's "application wallpaper" feature to drop malware including the DarkKomet backdoor and Lumma infostealer.
Application Wallpapers: A Built-In Security Risk Wallpaper Engine claims about 100,000 daily active users and nearly a million reviews. The app supports four wallpaper types: video, scene, web page, and application. That last type is a full executable - anything from a desktop game to a system monitor. Developers can publish any Windows binary through Steam Workshop with zero code review. Attackers have been weaponizing this since late 2025, embedding malicious EXEs, DLLs, or password-protected archives inside wallpaper packages. In some samples, the malware triggers the moment you apply the wallpaper. In others, a password is hidden in the archive name or a companion JSON file. Either way, the user runs untrusted code by just picking a pretty background.
How the Infection Works Kaspersky dissected one sample that looked like a harmless game wallpaper. On launch, it boots a real game (NTRaholic) while silently dropping Synaptics.exe - a DarkKomet backdoor. That executable simultaneously installs a modified system library, AggregatorHost.dll, that hijacks the active Steam session and exfiltrates credentials to hxxp://120.48.156 17/ey.php. Once the attacker owns the session, they can upload more malicious wallpapers from the victim's account, spreading the infection further. The malware kit is diverse: DarkKomet, Lumma, Vidar, RenEngine downloader, and even ransomware. Kaspersky attributes this to multiple independent threat actors, not a single group, all using the same exploitation path.
Who's Targeted and What's Next 89% of detected malicious download attempts originated in China, with Russia second at 5.5%. The wallpapers use Chinese-language art and titles. But nothing prevents these campaigns from pivoting to other regions - the technique is platform-agnostic. Steam has removed the reported wallpapers, but new ones keep appearing. Don't assume Valve will catch everything. Run a reputable antivirus scan on any application-style wallpaper before applying it. Kaspersky's detection signatures include HEUR:Trojan-PSW.Win32.gen and HEUR:Backdoor.Win32.DarkKomet. Treat any wallpaper that asks for a password or drops executable files as suspicious until proven otherwise.
Source: Dozens of malicious wallpapers found on Steam Workshop: gamers' accounts at risk
Domain: securelist.com
Comments load interactively on the live page.