Science
Jun 17, 20261
69%
Kaspersky Warns of Malware Distribution via Anime Wallpapers on Steam Workshop
Kaspersky has warned of hackers distributing malware disguised as anime girl wallpapers on Steam Workshop's Wallpaper Engine. Multiple infected wallpapers were downloaded thousands of times, with some containing the DarkKomet backdoor that harvested Steam account information from users primarily in China, Russia, and other countries.
Quick Facts
Who
Kaspersky
What
Malware distribution campaign via anime wallpapers
When
December 2025
Where
Steam Workshop
- Malware distribution campaign via anime wallpapers
- DarkKomet backdoor deployment
- Steam account harvesting and session hijacking
- Malware bundled in wallpaper packages
- Malware hidden in password-protected archives
Cybersecurity firm Kaspersky has discovered a malware distribution campaign leveraging Wallpaper Engine, a popular Steam Workshop application that allows users to download and install animated and interactive desktop wallpapers. Security researchers found that attackers have embedded malicious code within wallpaper packages featuring anime-themed content, with infected downloads reaching thousands of users.
The malware distribution method exploits Wallpaper Engine's application-based architecture, which allows executable programs to run directly on Windows computers. Kaspersky identified two primary infection techniques: bundling malicious executables within wallpaper packages, and hiding malware inside password-protected archives with passwords embedded in configuration files or archive names. Once a compromised wallpaper is installed, the malicious payload is automatically triggered in the background.
One notable malware sample discovered in December 2025 initially appeared legitimate, launching an embedded desktop game while covertly deploying the DarkKomet backdoor. This backdoor installed a modified library specifically designed to target Steam users, harvesting account credentials and hijacking active Steam sessions. The campaign primarily affected users in China and Russia, though infections were also reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
According to Kaspersky's analysis, the campaign does not appear to be a coordinated effort but rather the work of multiple independent threat actors. The discovery underscores growing security concerns regarding third-party content distribution platforms and highlights the risks of downloading applications from unvetted sources, even through established platforms like Steam Workshop.
Why This Matters
This malware campaign demonstrates how legitimate distribution platforms like Steam Workshop can be weaponized to deliver sophisticated threats at scale. Users face credential theft and session hijacking risks even when downloading from established ecosystems. Understanding these attack vectors—especially the password-protected archive technique—helps organizations and individuals implement stricter vetting procedures for third-party content and reinforces the need for endpoint security monitoring beyond traditional antivirus signatures.