Malicious Wallpaper Engine wallpapers uploaded to Steam Workshop have reportedly been stealing Steam accounts for months, with attackers using compromised profiles to spread more infected content. The threat is real, but the company issuing the warning, Kaspersky, also carries serious baggage: Hungarian reporting from Telex and 444 has covered U.S. intelligence allegations that Russian intelligence services may have used the company’s software for espionage.

Imagine installing an animated desktop wallpaper, seeing it work perfectly, and then losing your Steam account a few minutes later. That is what may have been happening for months on Steam Workshop, while many victims likely had no idea what caused it. The problem is linked to the popular Wallpaper Engine app, which lets users create, customize, and use animated and interactive backgrounds. Attackers exploited one of the platform’s features by uploading wallpapers that were actually executable programs running directly on a user’s desktop.

According to SteamDB data, more than 100,000 people use Wallpaper Engine every day, making Steam Workshop an obvious target for people hunting for player accounts. The dangerous content is found among so-called Application wallpapers, which are not simple images or animations, but full executable programs. Kaspersky says attackers have been using this method since at least late 2025, uploading infected wallpapers for free and taking advantage of Valve’s weak filtering. Several of the identified packages had already reached thousands, or even tens of thousands, of downloads while the wallpaper itself appeared to launch and animate normally.

When an infected package is installed, attackers can place a hidden program named Synaptics.exe on the victim’s computer, along with a modified version of the AggregatorHost.dll system library. These run in the background, locate the installed Steam client, access active session data, and send it to servers controlled by the attackers. The stolen account can then be used to upload more infected Workshop content, allowing the campaign to spread further on its own. Kaspersky’s investigation found DarkKomet backdoors, Lumma and Vidar infostealers, cryptocurrency miners, ransomware, and tools connected to remotely controlled networks of infected computers in the malicious packages.

According to the figures cited in the report, 89% of detected infection attempts were concentrated in China, followed by Russia at 5.5%. Many of the wallpapers were designed to lure gamers from those regions, but the technique itself is not limited to a single country, and several independent threat groups may be using it. Kaspersky therefore believes this is not the work of one single campaign or criminal group, but multiple actors exploiting the same weak point inside Steam Workshop.

There is an uncomfortable complication behind the warning itself. Hungarian outlets including Telex and 444 have previously covered U.S. intelligence allegations that Kaspersky software may have been used by Russian intelligence services for espionage. This should not be treated as a proven fact, but as a serious intelligence allegation that Kaspersky has always denied. That does not make the Steam Workshop malware threat any less technically documented, but the credibility of the company delivering the warning is burdened by that history as well.

The good news is that Steam has removed the infected wallpapers identified in Kaspersky’s report. The danger has not disappeared permanently, however, because new packages can be uploaded to Workshop at any time. Anyone who continues downloading Wallpaper Engine content should stick to trusted creators, scan files with antivirus software before installation, and be especially careful with anything listed as an Application wallpaper. These are not harmless visual assets, but programs capable of launching executable code directly on a PC.

Source: 3DJuegos, Tom’s Hardware