{"rewrite":{"id":"r_82419a7da4c6a278a4641a3a","clusterId":"c_8fba14376c1ac63f0af9a9bc","slug":"malware-found-in-wallpaper-engine-steam-workshop-wallpapers","model":"deepseek-v4-flash","headline":"Malware Found in Wallpaper Engine Steam Workshop Wallpapers","summary":"Cybersecurity firm Kaspersky reported on June 16 that it discovered malware embedded in wallpapers for the popular Steam utility Wallpaper Engine. Dozens of infected wallpaper packages were found on the Steam Workshop, with each recording thousands to tens of thousands of downloads. Attackers exploited the software's 'application-type wallpaper' feature, which can execute Windows programs, to sneak in malicious code. Two main infection methods were identified: directly bundling malicious executable files, DLLs, or scripts into the wallpaper package, and hiding malware inside a password-protected archive with the password embedded in the archive name or configuration file. The malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. One sample from December 2025 appeared to function normally by launching an embedded desktop game while deploying DarkKomet and installing a modified library to collect Steam account information and hijack logged-in sessions. The primary target was China, accounting for 89.4% of downloads, followed by Russia at 5.5%. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. By the time the findings were published, the malicious wallpapers had been removed from the platform, but Kaspersky warned that new ones may appear.","whyItMatters":"The incident shows that even a legitimate, well-reviewed Steam utility with around 100,000 daily active users can become a vector for malware through user-generated content, and that attackers are refining their methods to bypass platform moderation.","webCardHtml":"\u003cp\u003eKaspersky\u0026#39;s Securelist report details the specific mechanics of the attack. One sample from December 2025 functioned as a normal desktop game while deploying the DarkKomet backdoor and installing a modified library to collect Steam account information and hijack logged-in sessions. Attackers could then use the hijacked account to upload more malicious wallpapers to the Steam Workshop.\u003c/p\u003e\n\u003cp\u003eThe malware includes information-stealing tools like Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor. Kaspersky believes multiple independent threat actors are behind the attacks, not a single group. The sample images provided by Kaspersky primarily featured anime-style female characters, with titles and art style tailored specifically for China.\u003c/p\u003e\n\u003cp\u003eKaspersky advised users to \u0026#34;keep in mind that Steam may not detect everything. We strongly recommend running an antivirus scan before actually applying these wallpapers.\u0026#34; The geographic distribution of downloads beyond the primary targets includes Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%).\u003c/p\u003e","blueskyPost":"Kaspersky found dozens of malware-infested wallpapers on Wallpaper Engine's Steam Workshop, each with thousands of downloads. Attackers used the app's 'application-type' feature to run code. China was the primary target at 89% of downloads.","twitterPost":"Wallpaper Engine users: Kaspersky warns that some Steam Workshop wallpapers hide malware like DarkKomet and Lumma. One sample from Dec 2025 looked like a game but stole Steam sessions. The malicious items have been removed, but new ones could appear.","threadsPost":"Wallpaper Engine's Workshop allows wallpapers categorized as 'Applications' to execute code. Kaspersky found dozens of those wallpapers contained information stealers and cryptocurrency miners, with tens of thousands of downloads since late 2025. The platform's trust model is the vulnerability.","newsletterBlurb":"Cybersecurity firm Kaspersky has discovered malware embedded in wallpapers for the Steam utility Wallpaper Engine. Dozens of infected packages were found on the Steam Workshop, each downloaded thousands of times. Attackers exploited the software's ability to run Windows programs, deploying information stealers, ransomware, and cryptocurrency miners. The malicious wallpapers have been removed, but Kaspersky warns that new ones may appear.","attributionJson":"[{\"source\":\"Automaton\",\"url\":\"https://automaton-media.com/articles/newsjp/20260618-450359/\",\"title\":\"Reports of 'Malware-Infested Wallpapers' Spreading for Steam's Popular Wallpaper Software 'Wallpaper Engine': Cyber Attacks on Steam Becoming More Sophisticated\"},{\"source\":\"Game Spark\",\"url\":\"http://www.gamespark.jp/article/2026/06/17/168118.html\",\"title\":\"Report of Malware Infiltration in Long-Standing PC Wallpaper Tool 'Wallpaper Engine' Workshop - Estimated Tens of Thousands of Downloads Already\"},{\"source\":\"GIGAZINE\",\"url\":\"https://gigazine.net/news/20260618-wallpaper-engine-malware/\",\"title\":\"Malware Found in Anime-Style Wallpapers for Popular Steam App 'Wallpaper Engine'\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":9678,"outputTokens":1258,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1781708286,"createdAt":"2026-06-17T14:46:32.000Z","publishedAt":"2026-06-17T14:49:57.000Z","updatedAt":"2026-06-17T14:49:57.000Z"},"cluster":{"id":"c_8fba14376c1ac63f0af9a9bc","canonicalTitle":"老舗PC壁紙ツール『Wallpaper Engine』ワークショップにマルウェア混入の報告―既に数万ダウンロードとの推定","representativeArticleId":"a_77741466d7c497bd08e96c3c","sourceCount":3,"writtenSourceCount":3,"writeAttempts":0,"isSolo":false,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[\"Wallpaper Engine\"],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"written","firstSeenAt":"2026-06-17T14:10:16.000Z","lastSeenAt":"2026-06-18T03:16:40.000Z","updatedAt":"2026-06-18T03:45:28.000Z"},"attribution":[{"source":"Automaton","url":"https://automaton-media.com/articles/newsjp/20260618-450359/","title":"Steamの人気壁紙ソフト『Wallpaper Engine』向けに、“マルウェア入り壁紙”が広まっているとの報告。巧妙化するSteamでのサイバー攻撃"},{"source":"GIGAZINE","url":"https://gigazine.net/news/20260618-wallpaper-engine-malware/","title":"Steamで人気の壁紙アプリ「Wallpaper Engine」用の美少女壁紙にマルウェアが仕込まれていることが判明"},{"source":"Game Spark","url":"http://www.gamespark.jp/article/2026/06/17/168118.html","title":"老舗PC壁紙ツール『Wallpaper Engine』ワークショップにマルウェア混入の報告―既に数万ダウンロードとの推定"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":["Wallpaper Engine"],"studios":[],"people":[],"type":"news","domain":"other","is_roundup":false},"keyFacts":["Attackers exploited Wallpaper Engine's 'application-type wallpaper' feature, which can execute Windows programs, to hide malicious code in wallpaper packages.","The malware includes information-stealing tools Lumma and Vidar, the RenEngine loader, and the DarkKomet backdoor, with China accounting for 89.4% of downloads and Russia for 5.5%.","Kaspersky believes multiple independent threat actors are behind the attacks, and while the malicious wallpapers were removed by the time of publication, new ones may appear."]}
