Malicious Steam Wallpapers Targeting Gamers in China and Russia with Account Theft and Malware

Since late 2025, a sophisticated malware campaign has been spreading through the Steam Workshop, exploiting Wallpaper Engine—a popular animated desktop wallpaper application with approximately 100,000 daily active users and nearly a million reviews. Attackers have uploaded dozens of malicious wallpapers that, when installed, steal Steam account credentials and infect systems with backdoors, ransomware, and cryptocurrency miners. The campaign primarily targets gamers in China and Russia.

Wallpaper Engine, available on Windows and Android, allows users to create and share four types of custom wallpapers: videos in MP4 or WebM formats, interactive scenes built in the app's editor, web pages powered by HTML and JavaScript, and executable applications that run as standalone programs on the desktop. The attackers have exploited the application wallpaper category—which essentially executes arbitrary code on users' computers—to distribute malware through Steam Workshop, where anyone can freely publish content without extensive security vetting.

Security researchers have identified dozens of infected wallpapers, each downloaded thousands or tens of thousands of times. The attackers employ two primary distribution methods: packaging malware alongside executable wallpapers in standard archives, or concealing malicious files within password-protected archives where users are tricked into entering credentials or scripts execute automatically. One sample discovered in December 2025 appeared as a functional game wallpaper but silently deployed a backdoor file called Synaptics.exe, part of the DarkKomet malware family, within minutes of installation.

Once executed, these compromised wallpapers hijack Steam credentials and introduce various threats including backdoors for remote system access, ransomware for file encryption, and crypto miners that degrade system performance. The reliance on Steam Workshop's open publishing model and the inherent execution privileges of application wallpapers created an attractive vector for cybercriminals targeting the global gaming community.