Researchers at Kaspersky have uncovered an ongoing malware distribution campaign that hides malicious code inside Steam Workshop wallpaper packages, exploiting the trust users place in a platform built for sharing custom desktop content.

The campaign abuses Wallpaper Engine, a popular Steam application for creating and sharing animated desktop wallpapers that allows executable programs to run directly on a user’s Windows computer. Kaspersky identified dozens of infected wallpaper packages on Steam Workshop, several of which had accumulated thousands or tens of thousands of downloads before discovery. Victims were concentrated in China and Russia, with others recorded in Singapore, Hong Kong, Germany, Vietnam, India and Canada.

Two delivery methods, one trusted platform

Attackers used two main techniques to smuggle malware past users. In some cases, malicious executables, DLLs and scripts were bundled directly inside the wallpaper package. In others, the malware sat inside password-protected archives, with the password hidden in the archive’s filename or a configuration file, executing automatically once the wallpaper was installed.

One sample identified in December 2025 illustrates the deception: it launched what looked like a working desktop game with no visible sign of compromise, while quietly deploying the DarkKomet backdoor in the background to harvest Steam account credentials and hijack active sessions. Kaspersky believes the campaign involves multiple independent threat actors rather than a single coordinated group, with different incidents distributing the Lumma and Vidar infostealers and the RenEngine loader alongside DarkKomet.

Trusted platforms can be abused to distribute malware: the attacks rely on users trusting content hosted within legitimate ecosystems, said Maxim Starodubov, a cybersecurity expert at Kaspersky. While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content.

Lowered guard around user-generated content

The campaign underscores how gaming platforms have become a viable attack surface precisely because users tend to lower their guard around mods, custom maps and wallpapers, content categories that feel inherently low-risk. Kaspersky’s security products detect and block malware associated with the campaign, and the company has published further technical detail in a report on Securelist.

Kaspersky is advising users to exercise caution when downloading any application, even from trusted sources, to verify the legitimacy and reputation of content creators before installing user-generated material, and to rely on established security solutions to catch threats that slip past platform-level checks.