Steam Workshop Wallpaper Engine malware delivery operation
Malware Activity
Summary
Hide ▲
Show ▼
Malicious Steam Workshop wallpaper packages are being used to install backdoors, steal Steam credentials, and launch cryptomining on users' systems, expanding a long-running abuse of Wallpaper Engine. The activity has been underway since at least late 2025 and includes multiple malware families, not just a single payload. Steam removed the identified uploads, but the distribution path remains attractive for repeat abuse.
Related Happenings
Steam Workshop malicious wallpaper malware distribution campaign
Campaign
H score39
First: 16.06.2026 21:27
Last: 16.06.2026 21:27
Sources 1
How related:
According to the researchers, attackers took advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine.
About this happening:
A **Steam Workshop** campaign has used malicious wallpaper uploads to deliver malware to **Steam users**, creating a broad infection risk across the platform since **late 2025**....
Steam Workshop malicious wallpaper malware distribution campaign
CampaignHow related: According to the researchers, attackers took advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine.
About this happening: A **Steam Workshop** campaign has used malicious wallpaper uploads to deliver malware to **Steam users**, creating a broad infection risk across the platform since **late 2025**....
WordPress malware hides C2 data in Steam Community comments
Malware Activity
H score16
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
WordPress malware hides C2 data in Steam Community comments
Malware ActivityAbout this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
Timeline
-
16.06.2026 21:27 2 articles · 1h ago
Malicious Steam Workshop wallpapers deliver backdoors and infostealers
Technical Analysis UpdateThreat actors are abusing Valve's Steam Workshop and the Wallpaper Engine desktop customization application to hide malware inside wallpaper packages, including a DarkKomet backdoor, a modified AggregatorHost.dll that searches for Steam accounts and steals credentials, and other payloads such as the Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and ransomware strains. Kaspersky says dozens of malicious application wallpapers were found, each already downloaded thousands or even tens of thousands of times, and notes that Steam removed the identified uploads while new malicious wallpapers are likely to appear.
Show sources
- Steam Workshop abused to spread malware via Wallpaper Engine app — www.bleepingcomputer.com — 16.06.2026 21:27
- Steam Workshop abused to spread malware via Wallpaper Engine app — www.bleepingcomputer.com — 16.06.2026 21:27