Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > Malicious Wallpapers on Steam Used to Steal Gaming Session Data, Researchers Warn

Malicious Wallpapers on Steam Used to Steal Gaming Session Data, Researchers Warn

By: Morgan Cipher Senior Privacy Journalist

Last updated: June 18, 2026

Human Written
Malicious Wallpapers on Steam Used to Steal Gaming Session Data, Researchers Warn
  • Bad actors online hid malware in Wallpaper Engine application wallpapers on Steam Workshop to get a pathway to steal Steam sessions.

  • Researchers found that many people have already downloaded the wallpapers thousands of times, with 89% of the victims they found residing in China, while the others are across several other countries.

  • The campaign used many tactics, such as infostealers, ransomware droppers, backdoors, plus crypto-mining malware.

Threat actors didn’t start their malicious exploitation of Valve’s Steam Workshop this year alone. They got what they wanted by disguising malware to appear like the legitimate wallpapers for Wallpaper Engine. This is one of the most popular desktop customization apps that Steam owns.  

According to what cybersecurity researchers at Kaspersky revealed, these attackers have been using the platform for their nefarious acts since late 2025. They took advantage of a feature that was very unpopular, which allows wallpapers to work as executable applications.

By publishing malicious wallpapers that seemed like harmless games, desktop enhancements, or utilities, these threat actors found it very easy to infect users’ systems and steal active Steam sessions, plus they even deployed more malware.

Malicious Wallpapers Turn Desktop Customization into an Attack Vector

Wallpaper Engine supports several wallpaper formats, and these come in the form of videos, web pages, interactive scenes, & application wallpapers. Unlike normal wallpapers, application wallpapers work as standalone executables that developers designed to run directly on a user’s computer.

So what attackers did was to focus specifically on this particular feature because once they launch such a wallpaper effectively, it will get the same execution privileges as any other legit program.

The researchers found many malicious uploads passing off themselves as games, widgets, & even productivity tools. Since Steam Workshop gives users the power to publish content free of charge, it has become easy for criminals to upload their own deadly wallpapers without barriers.

Some of the files came with executables that are harmful, scripts or even dynamic-link libraries (DLLs), & these bad actors hid them alongside contents that looked like the real ones.

They also hid the malware inside archives that needed a password to unlock, and with scripts or embedded configuration files, they automatically retrieve the password & extract the payload.

The extent which this campaign reached was really massive. Many of the malicious wallpapers had already accumulated thousands or even tens of thousands of downloads before the engineers identified & removed them.

Steam Session Hijacking Enables Persistent Account Compromise

Once the victim launches the malicious wallpaper, the malware executes immediately while still keeping its appearance as a functioning wallpaper or mini-game. Kaspersky watched one attack chain dropping a DarkKomet remote access trojan backdoor named “Synaptics.exe” into the system’s ProgramData directory.

At the same time, another executable loaded visible wallpaper content to make sure the victim didn’t notice that something was wrong with the wallpaper. The malware also implemented a different version of AggregatorHost.dll, a legitimate Windows component that the bad actors had altered to carry malicious code.

This malicious DLL from the hackers searched for the Steam client & extracted active session information. Then it transmitted the session data it stole to a command-and-control server, which the cybercriminals are controlling, giving them direct access to Steam accounts belonging to the victims without necessarily needing account passwords.

Researchers warn that hackers can use the accounts which they have compromised to upload more malicious wallpapers to Steam Workshop, creating a self-propagating cycle.

By taking hold of user accounts that are legit, attackers can make the malicious uploads they do appear legitimate & increase the speed at which the infection enters more systems.

Multiple Threat Groups Appear to be Using the Same Technique

Kersperky investigators also found many other malware families beyond DarkKomet, and these included Lumma & Vidar infostealers. There were also RenEngine loader variants, & ransomware droppers, botnet loaders, plus malware for cryptocurrency mining.

These different payloads implies that it is not only one single threat actor that is controlling the operation. Instead, many different cybercriminal groups are seemingly exploiting the same distribution method via Steam Workshop.

Nation-state actors are also active in similar supply chain attacks. North Korean hackers have been planting malicious packages across open-source ecosystems like npm and PyPI, showing how threat actors at all levels target trusted platforms.

Based on geographical distribution, China alone shows 89% of the malicious download attempts which the researchers detected with the hackers tailoring the wallpaper themes &  titles specifically to Chinese-speaking users.

Russian downloads were roughly 5.5% of the activities researchers observed, while Singapore, Hong Kong, & Germany, Vietnam, India, & even Canada also got smaller numbers of victims. 

Although Valve has removed the malicious wallpapers that Kaspersky identified, researchers are warning that new uploads continue to show up. As a result, the recommendation is that users should avoid application-type wallpapers from creators they can’t verify.

Secondly, they should scan the Workshop content they download with updated security software. Also, they should enable Steam Guard  & two-factor authentication. Most importantly, users should investigate suspicious or unusual processes like Synaptics.exe or unexpected DLLs running from the ProgramData directory.

Share this article

About the Author

Morgan Cipher

Morgan Cipher

Senior Privacy Journalist

Morgan combines a journalist’s curiosity with a security specialist’s precision. His reporting on data breaches, privacy laws, and encryption tech has been featured in several tech publications. At TorWire, he focuses on real-world threats and how to counter them, always with an eye on what’s next in digital privacy.

Comments (0)

No comments.