Since late 2025, criminals have been smuggling malware into custom desktop wallpapers shared on Steam Workshop, the storefront's hub for player-made content, and using them to hijack Steam accounts and quietly plant backdoors, infostealers, crypto miners, and even ransomware on victims' PCs. Researchers Maxim Starodubov and Denis Brylev at Kaspersky's Securelist found dozens of these booby-trapped wallpapers, each already downloaded thousands or even tens of thousands of times.
The campaign abuses Wallpaper Engine, a popular live-wallpaper app with around 100,000 daily users that lets people build and share animated desktops through Steam Workshop. Most of the targets are gamers in China, which accounted for 89 percent of the blocked download attempts, with Russia a distant second at 5.5 percent and smaller numbers in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. It is the latest twist on long-running efforts to steal gamers' Steam accounts.
How the attack works
The weak point is a Wallpaper Engine feature called "application wallpapers," which are essentially standalone programs that run on your desktop, anything from mini-games to system monitors. Because they are real programs, a wallpaper can run arbitrary code. Attackers bundle the wallpaper with malicious EXE files, DLLs, or scripts, sometimes inside a password-protected archive where the password is hidden in plain sight, in the file name or a JSON config, so a script can open it automatically. The moment the victim applies the wallpaper, the payload fires.
In one sample from December 2025, a working mini-game booted up normally while, behind the scenes, the wallpaper dropped a DarkKomet backdoor (Synaptics.exe) and installed a tampered Windows library (AggregatorHost.dll). That library hunts down the Steam app, steals stored credentials, hijacks the user's live Steam session, and sends the loot to a server at hxxp://120[.]48[.]156[.]17/ey[.]php. With a live session in hand, the attackers can then use the victim's own account to upload yet more malicious wallpapers.
Because the payloads vary so widely, from the DarkKomet backdoor to the Lumma and Vidar infostealers, the RenEngine loader, crypto miners, and botnet loaders, Securelist assesses that this is not the work of a single group but of several independent crews piling onto the same trick.
What you should do
Steam removed the wallpapers Securelist flagged, but new infected ones keep appearing, so do not count on the platform to catch everything. Scan any application wallpaper with up-to-date antivirus before you apply it, and be especially wary of wallpapers that arrive inside password-protected archives. You can read the original Securelist report for the full analysis.
Indicators of compromise
Command and control: hxxp://120[.]48[.]156[.]17/ey[.]php, hxxp://202[.]144[.]192[.]29/audit[.]php, and hxxp://brightly[.]to/download2/Themes2[.]zip. Sample DarkKomet dropper (MD5): 95856f2ce428c728d9781d3296558068. Server IPs: 120[.]48[.]156[.]17 and 202[.]144[.]192[.]29.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.