Gamers beware — experts flag Steam Workshop is being abused to spread malware via Wallpaper Engine app

News
By published

Even a wallpaper can carry a virus these days

Wallpaper Engine app, available on Steam.
(Image credit: Wallpaper Engine)
  • Kaspersky found Steam Workshop wallpapers weaponized to deliver malware via Wallpaper Engine
  • Dozens of malicious “application wallpapers” downloaded tens of thousands of times, spreading backdoors, infostealers, miners, and ransomware
  • Valve removed the infected uploads, but users warned attackers could easily re‑upload new ones

Steam Workshop, a community platform built into Steam that allows users to share custom content, was being used to infect gamers with malware, researchers have claimed.

For at least half a year, gamers that used the platform to download certain wallpapers were being served various malware, Kaspersky recently explained.

This campaign has been running since at least late 2025, Kaspersky said - with some sources noting the majority of the victims are in Russia and China.

Latest Videos From

Dozens of malicious wallpapers

Steam is a hugely popular digital distribution platform for PC games, developed by a company called Valve. Baked into it is Workshop, a community tool where gamers can share mods, maps, skins, wallpapers, and other add-ons for games and applications.

Among other things, Steam Workshop allows gamers to use Wallpaper Engine, a desktop customization application that supports more than just “static” image wallpapers. With it, gamers can have videos, interactive animations, and even entire applications, displayed as a wallpaper.

And that is where the problem lies - hackers have been using application wallpapers as delivery mechanisms for different malware, including backdoors and cryptojackers.

"We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times," Kaspersky said.

Looking deeper into the weaponized wallpapers, Kaspersky found that the malware is often either bundled in the package, or delivered inside a password-protected archive. The payload itself gets executed automatically the moment the user installs the wallpaper, it was said. In one example, Kaspersky was served a backdoor, and in another, an infostealer. Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and even ransomware strains, were all being distributed this way.

Kaspersky disclosed its findings only after Steam identified and removed all of the malicious wallpaper applications. However, users should approach with caution, because there’s nothing stopping the threat actors from simply uploading new ones.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.