Kaspersky states that attackers are distributing malware through wallpaper content on the Steam Workshop. Since these "application wallpapers" can execute programs directly on Windows computers, users installing seemingly legitimate content may inadvertently download spyware.
Detected dozens of infected wallpaper packages
Kaspersky stated that researchers have identified dozens of wallpaper packages containing malicious code. The related samples involve two common information-stealing trojans, Lumma and Vidar, as well as the RenEngine loader.
These malicious programs are typically used to steal account credentials, browser data, and cryptocurrency wallet information. Researchers have determined that this campaign does not appear to be the work of a single group, but rather multiple attackers simultaneously deploying malicious content using similar techniques.
The main victims are in China and Russia.
According to Kaspersky, victims were primarily located in China and Russia, with additional cases reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
The company stated that the malicious wallpaper packages were distributed in different ways: some were directly bundled with trojans, while others concealed malicious files within encrypted archives, releasing them automatically after installation.
Use legitimate platforms to improve dissemination efficiency.
Kaspersky mentioned a similar case in 2025: a wallpaper app appeared to launch a legitimate desktop game, but secretly installed the DarkKomet backdoor in the background.
Researchers say these attacks rely on users' trust in the official platform ecosystem. Attackers do not need to impersonate independent download sites; they only need to package malicious content as ordinary creative workshop resources to reach a large number of potential victims.
In July of this year, cybersecurity firm Prodaft also disclosed that the Steam Early Access game Chemia was compromised and used to distribute Hijack Loader, Fickle Stealer, and Vidar Stealer, targeting cryptocurrency wallets and user data. Earlier, in March, the U.S. Federal Bureau of Investigation announced an investigation into multiple malware strains distributed through Steam games, including Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova.