Malware on Steam: how Wallpaper Engine backgrounds ended up stealing cryptos

If you use Wallpaper Engine to put animated backgrounds on your desktop, it's worth paying attention to what you're downloading. Researchers at Kaspersky found that, since late 2025, attackers have been hiding malware inside wallpapers published on the Steam Workshop. Some of those files had already racked up thousands of downloads before anyone noticed something was off.

The report is by Maxim Starodubov and Denis Brylev, and it came out on June 16, 2026. The takeaway is an uncomfortable one: not even a platform as trusted as Steam is completely safe.

Why a wallpaper can be dangerous

Wallpaper Engine is one of Steam's most popular apps. It has around 100,000 daily active users and nearly a million reviews. The idea is simple: instead of a static image, you get videos, interactive scenes, or web pages running as your desktop background.

The problem lies in a fourth type of wallpaper, the so-called "application wallpapers." These aren't images or videos. They're Windows programs that actually run on your computer. They can be mini-games, calendars, monitors that track your CPU usage, almost anything. And that's exactly what the attackers took advantage of. An application wallpaper is, in practice, someone else's code running on your machine. Since anyone can create one and publish it for free on the Workshop, it was only a matter of time before someone used it with bad intentions.

How the trick works

Kaspersky found dozens of these malicious wallpapers, each with thousands or tens of thousands of downloads. The attackers used two methods. In the more direct one, they bundled the executable wallpaper together with the infected files (EXEs, DLLs, or scripts) in a single package. In the other, they hid the malware inside a password-protected archive and left the password in plain sight: in the file name or inside a configuration file. Sometimes the victim typed it without suspecting a thing; other times, a script did it automatically.

One of the cases they analyzed sums it up well. It was a wallpaper with a game called NTRaholic. When you opened it, the game booted up fine and everything seemed normal. But behind the scenes, a backdoor was already being installed (a file called Synaptics.exe, from the DarkKomet family), while a second module searched for the Steam app on the machine, stole the credentials, and hijacked the user's active session. With that session in hand, the attackers could upload even more infected wallpapers to the Workshop using the victim's own account.

It's not one group, it's several

What stands out most is the variety. Among the wallpapers they analyzed, there was a bit of everything: the Lumma and Vidar infostealers, the DarkKomet backdoor, the RenEngine loader, cryptocurrency miners, botnet loaders, and even ransomware. That range suggests to Kaspersky that there isn't a single mastermind behind it, but several independent groups jumping on the same trend.

For now, the main target is gamers in China: 89% of the malicious download attempts happened there, and the wallpaper titles and art styles are tailored to that audience. Russia comes in second at 5.5%, followed at a distance by Singapore, Hong Kong, Germany, Vietnam, India, and Canada. That said, nothing stops the campaign from moving to another region whenever the attackers feel like it.

What to do if you use Wallpaper Engine

The good news is that, by the time the report was published, Steam had already removed the malicious wallpapers and links Kaspersky had identified. The bad news is that new ones keep showing up, so it's not a good idea to count on the platform catching them all.

A few precautions that help:

• Download wallpapers only from creators with a solid reputation, and read the community comments before installing anything.
• Be especially wary of application wallpapers, which are the only ones that can run programs.
• Run an up-to-date antivirus on any of these wallpapers before applying it.
• If something feels off after installing one (your PC slows down, Steam asks you to log in again for no reason), check your machine as soon as you can.

Wallpaper Engine itself is still a legitimate, safe app. The risk isn't in the app, but in what other people upload to the Workshop. And as usually happens in these cases, the best filter is still thinking twice before clicking "download."