HACKERS have flooded the Steam Workshop with dozens of malicious Wallpaper Engine backgrounds that install malware on gamers’ machines, a campaign primarily observed in China and Russia, according to Securelist research. The malicious wallpapers appear as ordinary animated backgrounds but contain hidden application wallpaper components that can execute code when activated. Victims report sudden performance drops, unexpected network connections and alerts from security tools after setting the compromised images as their desktop wallpaper. The campaign highlights how trusted community marketplaces can be abused to deliver payloads at scale.
The abuse relies on the Workshop’s ability to share “application wallpapers” that can execute arbitrary code when set as a desktop background, allowing attackers to hide payloads such as the DarkKomet remote access tool, credential‑stealing scripts and cryptocurrency miners inside seemingly innocuous animations, as detailed in a SecurityOnline report. Unlike traditional exploits that require a software vulnerability, this method trusts the legitimate Wallpaper Engine interface to run JavaScript or binary code supplied by the creator. Once the wallpaper is applied, the embedded script launches with the user’s privileges, enabling it to read files, capture keystrokes and open reverse shells to attacker‑controlled servers. The absence of a CVE reflects that the flaw lies in the feature itself rather than a coding error.
Analysis of the infected submissions shows a range of payloads, from lightweight stealers that harvest Steam login cookies and browser passwords to more aggressive modules that install persistence mechanisms and deploy Monero miners that consume GPU resources. Some wallpapers also drop a lightweight backdoor that contacts a command‑and‑control domain registered just days before the campaign began, suggesting a short‑lived but focused operation.
The variety indicates that multiple actors are using the same distribution channel, each tailoring the malicious code to their own objectives while relying on the Workshop’s automated download and update mechanisms.
The activity was first detected on 16 June 2026 and continued through 22 June 2026, with Securelist logging over fifty distinct wallpaper entries that received thousands of downloads before being removed. Although no specific threat actor has been claimed, the geographic concentration of infections in China and Russia points to operators familiar with the local gaming communities and possibly using regional payment methods to monetize the stolen assets. The campaign demonstrates how quickly malicious content can spread when it masquerades as legitimate, user‑generated content on a popular platform.
This incident adds to a growing list of supply‑chain attacks that target creative marketplaces, showing that trust in community‑driven content can be weaponized for credential theft, financial fraud and illicit cryptocurrency mining. It mirrors previous abuses of mod‑hosting sites where malicious scripts were hidden in game modifications or texture packs, reinforcing the need for platform owners to scrutinize executable content even when it is presented as harmless artwork.
For defenders, the event serves as a reminder that endpoint protection must cover not only traditional software vectors but also user‑installed extensions that run with full user privileges.
Users should treat any newly downloaded Wallpaper Engine item as untrusted, running it through an updated antivirus engine before enabling it and disabling the application wallpaper feature unless they can verify the creator’s reputation. Enabling multi‑factor authentication on Steam accounts reduces the impact of credential‑stealing payloads, while keeping the Wallpaper Engine client, the Steam client and the operating system patched limits the ability of malware to leverage outdated components.
Regularly reviewing installed wallpapers and removing any that were obtained from unfamiliar sources further reduces the risk of persistent infection.