Kaspersky researchers disclosed on June 16 a malware distribution campaign exploiting Wallpaper Engine — a popular Steam application with nearly one million reviews — by uploading malicious wallpaper packages to Steam Workshop that deliver multiple malware families to users who install them. Download counts for individual malicious packages ranged from thousands to tens of thousands before Steam removed them.
Wallpaper Engine’s Application Wallpaper Feature as a Malware Execution Vector
The exploitation mechanism uses a legitimate Wallpaper Engine capability: the application supports executable Windows programs running as interactive desktop backgrounds. Attackers created Workshop packages in which the “wallpaper” is a malicious executable rather than a visual file.
In some packages, the malware was embedded directly in the wallpaper archive. In others, users were prompted to open a password-protected archive to “unlock” the wallpaper content, with the malware concealed inside. Both delivery variations exploited the same design feature — Wallpaper Engine’s ability to run arbitrary Windows executables as the desktop background — which provides a persistent execution context that runs with full user privileges every time the desktop is active.
NTRaholic: Decoy Game Desktop Concealing a Backdoor and Steam Credential Harvester
One analyzed example, named “NTRaholic,” displayed a functional decoy game as the desktop background while running a backdoor in the background. The package also installed a custom DLL named “AggregatorHost.dll” specifically engineered to locate and steal Steam account credentials from the infected machine.
The dual-layer construction — a convincing decoy experience alongside malicious background processes — demonstrates deliberate attention to extending the time before victim discovery. A user who sees an engaging game-style wallpaper running normally on their desktop has no obvious signal that a credential harvester is simultaneously exfiltrating their Steam account information.
DarkKomet, Vidar, RanEngine, and Botnet Loaders Confirmed Across the Campaign
The full set of malware families confirmed by Kaspersky across the campaign includes DarkKomet (a backdoor), Lumma (an infostealer), Vidar (an infostealer), RanEngine (a ransomware loader), botnet loaders, and cryptocurrency miners. The breadth of payload types across a single distribution campaign indicates that the Workshop channel was being used by multiple actors or to serve multiple criminal business objectives simultaneously — credential theft, persistent remote access, ransomware staging, and resource hijacking.
Why Steam Workshop Users Apply Less Security Scrutiny Than Software Downloaders
Steam Workshop is a trusted content distribution channel used by hundreds of millions of gamers. Users applying significantly lower security scrutiny to Workshop content than to standalone software downloads is a predictable outcome of that trust relationship: the Workshop is perceived as a curated platform operated by a responsible distributor, which reduces the cognitive filter users apply when deciding whether to install content from it.
That reduced scrutiny creates a structural attack surface. Gamers who would hesitate before running an unsigned executable from an unknown website will install Workshop content from a creator with positive reviews without equivalent hesitation — even when that content, in the case of application wallpapers, executes arbitrary code on their system with full user privileges.
The specific targeting of Steam account credentials by the NTRaholic example reflects a defined secondary objective beyond generic system compromise. Steam accounts carry substantial value in underground markets due to their game library inventories, in-game item collections, stored payment methods, and account age. A campaign that successfully harvests Steam credentials at scale has both immediate market value and persistence value — a stolen Steam account with a large library retains value long after initial compromise.
Steam removed all identified malicious wallpaper packages following Kaspersky’s disclosure. Kaspersky noted, however, that attackers “will likely submit new ones” — a pattern consistent with Workshop abuse campaigns in other gaming platforms, where the removal of discovered malicious content is followed by resubmission under new accounts or package names. Users who installed Workshop wallpaper packages from unverified creators during the exposure period should inspect their systems for the documented malware families and treat any installed Steam credentials as potentially compromised.
