Cybersecurity firm Kaspersky has identified a campaign distributing malicious wallpaper packages through the Steam Workshop for the Wallpaper Engine application. These packages contain malware designed to steal user credentials and install other harmful software, exploiting the platform's community features.
Campaign Details and Scope
According to Kaspersky's report, dozens of compromised wallpaper packages were detected on the Steam Workshop. Each package had been downloaded thousands to tens of thousands of times. The campaign primarily targeted users in China and Russia, with additional victims identified in Singapore, Hong Kong, Germany, and Canada.
Technical Methods
Wallpaper Engine allows users to download animated or interactive desktop backgrounds. These wallpapers are executable Windows applications, which attackers exploited to bundle malware. Malware was delivered in two primary ways:
- Directly bundled within the wallpaper application.
- Hidden inside password-protected archives that execute automatically upon installation.
Types of Malware Deployed
The malicious packages delivered a range of payloads, including:
- Cryptocurrency miners
- Remote access trojans
- Information-stealing programs (infostealers) such as Lumma and Vidar
- Botnet loaders
- Ransomware strains, including RanEngine
- Steam account credential stealers
A specific wallpaper package posing as the game NTRaholic was found to deploy the DarkKomet malware alongside a custom file named "AggregatorHost.dll" designed to exfiltrate Steam login credentials.
Platform Response and Recommendations
Valve, the operator of Steam, has removed the identified malicious wallpaper packages. Kaspersky warned that new malicious packages may continue to appear on the platform. Recommendations for users include scanning Steam Workshop products with up-to-date antivirus software. Neither Wallpaper Engine nor Valve created the malicious packages, and PCGamesN has contacted both parties for further comment.