Gamers beware: malicious wallpapers on Steam found stealing accounts | Securelist
Subscribe --><br>Dark mode off<br>Login -->
Securelist menu
EnglishRussian<br>Spanish<br>Brazil
Existing Customers
Personal
My Kaspersky<br>Renew your product<br>Update your product<br>Customer support
Business
KSOS portal<br>Kaspersky Business Hub<br>Technical Support<br>Knowledge Base<br>Renew License
Home
Products<br>Trials&Update<br>Resource Center
Business
Kaspersky Next<br>Small Business (1-50 employees)<br>Medium Business (51-999 employees)<br>Enterprise (1000+ employees)
Securelist<br>Threats
Financial threats<br>Mobile threats<br>Web threats<br>Secure environment (IoT)<br>Vulnerabilities and exploits<br>Spam and Phishing<br>Industrial threats
Categories
APT reports<br>Incidents<br>Research<br>Malware reports<br>Spam and phishing reports<br>Publications<br>Kaspersky Security Bulletin
Archive<br>All Tags<br>APT Logbook<br>Webinars<br>Statistics<br>Encyclopedia<br>Threats descriptions<br>KSB 2021
About Us
Company<br>Transparency<br>Corporate News<br>Press Center<br>Careers<br>Sponsorships<br>Policy Blog<br>Contacts
Partners
Find a Partner<br>Partner Program
Content menu<br>Close
Subscribe
Threat Response
Table of Contents
What is Wallpaper Engine?<br>Application wallpapers: a built-in security risk<br>Inside an infected game wallpaper<br>Attribution and victims<br>How to stay safe<br>Indicators of compromise
Authors
Maxim Starodubov
Denis Brylev
Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform’s built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts. To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app available on Steam – specifically leveraging its Workshop sharing feature. The malware is hidden inside the wallpaper packages users share with one another. Running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected with backdoors or crypto miners.
What is Wallpaper Engine?
Wallpaper Engine is an app that allows you to put animated wallpapers on your desktop. It’s available for both Windows and Android, though our investigation focused strictly on the Windows version. Thanks to a massive Steam community, the app is quite popular, boasting around 100,000 daily active users and nearly a million reviews. It comes with a built-in editor so users can create their own designs, and it supports a few different wallpaper types:
Videos: MP4, WebM, and other common video formats
Scenes: interactive wallpapers built inside the app’s own editor
Web pages: HTML pages powered by JavaScript and CSS, which can also include audio and video elements
Applications: active windows from third-party Windows-compatible software that Wallpaper Engine sets as the user’s desktop background
That last type, application wallpapers, is where things get risky, because these are essentially standalone programs. They can be anything from mini-games you play right on your desktop, to planners, calendars, system monitors, or widgets tracking your CPU or GPU usage.
Application wallpapers: a built-in security risk
The whole concept of "application wallpapers" essentially allows foreign code to be run directly on your computer. Cybercriminals took note of this feature and started embedding malware right into these types of wallpapers. Because Wallpaper Engine relies on Steam Workshop for content sharing, anyone can create a wallpaper and publish it for the community to download and install for free. Naturally, this setup is a magnet for bad actors.
We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times.
When we analyzed them, we caught two different methods the attackers were using to spread their malware:
An archive containing the executable wallpaper alongside the malicious files. This payload usually consisted of compromised EXE files, DLLs, or malicious scripts.
In other cases, attackers threw a curveball by hiding the malware inside a password-protected archive. Either the victim was tricked into typing the password, or a script handled it automatically. The attackers would hide the password in plain sight – either right in the archive’s name or inside a JSON configuration installed along with other wallpaper files. For all the other variations, the payload triggered automatically when the user selected and applied the wallpaper.
Inside an infected game wallpaper
Main screen of the wallpaper application
On the surface, this wallpaper sample (above) we uncovered in December 2025 looks completely harmless. Once launched, there’s absolutely nothing to trigger your suspicion. The built-in game boots up flawlessly, runs smoothly, and the desktop controls work exactly as they should. But behind the scenes, a full-blown infection is underway. Within just a few minutes, a user might suddenly...