Since late 2025, malware has spread through the Steam Workshop by exploiting Wallpaper Engine, software with roughly 100,000 daily active users. Kaspersky's analysis, published in June 2026, documents dozens of malicious "application wallpapers": each sample has amassed thousands or tens of thousands of downloads. The mechanism exploits no zero-day vulnerability; instead, it abuses the executable nature of wallpapers to install backdoors, steal Steam credentials in real time, and drop additional payloads.
The stakes are twofold. For gamers, a Steam account is a digital asset with real value: item inventories, wallet balances, purchase histories. For enterprises, the presence of gaming platforms on corporate devices exposes an often-unmonitored attack surface. The "harmless wallpaper" vector lowers victims' guard, exploiting a cognitive asymmetry: human users perceive wallpapers as passive, while automated sandboxes are neutralized by a surprisingly simple evasion technique.
- Dozens of malicious wallpapers discovered on Steam Workshop, each with thousands or tens of thousands of downloads
- Wallpaper Engine "application wallpapers" are full Windows programs executed as desktop backgrounds
- Two distribution methods: open archive with malicious executable, or password-protected archive with password hidden in filename or JSON config
- Documented payloads: DarkKomet backdoor (Synaptics.exe), Steam credential hijacking via AggregatorHost.dll, crypto miner, ransomware
How the Infection Works: From Workshop to Multiple Payloads
Attackers package malware in archives shared on Steam Workshop as wallpapers for Wallpaper Engine. Kaspersky's analysis identifies two distribution methods. The first: an archive containing the wallpaper executable alongside malicious files. The second: a password-protected archive where the password is "hidden in plain sight" — in the archive's filename or in a JSON configuration file.
This evasion technique is designed to bypass automated analysis. Sandboxes and scanning engines that process the file find no executable in the clear; the user, following visual instructions, enters the password and activates the payload. It is a case of "security through obscurity" turned on its head: the obscurity is apparent, visible to anyone who reads, but invisible to code.
Once executed, the malware installs a backdoor identified as Synaptics.exe, belonging to the DarkKomet family. The component replaces a system library named AggregatorHost.dll: the modified version intercepts the user's active Steam session and extracts credentials. Persistence is maintained via a scheduled system job that runs at regular intervals.
The Plaintext Password Paradox: When the Sandbox Loses and the User Wins
The most unusual angle of this campaign is the attackers' calibration of the gap between automated analysis and human behavior. The plaintext password in the filename or JSON config is not a mistake: it is a filter. Sandboxes do not infer passwords from filenames; users do. Attackers bet that the victim, motivated to install a free or flashy background, will perform the completion action the machine will not.
This asymmetry matters for user-generated content platforms. Steam Workshop allows sharing of executable content with limited or delayed moderation; trust is implicit, inherited from the parent platform's reputation. The technique documented by Kaspersky exploits exactly this trust transfer: the user downloads from Steam, so the content is "safe."
Targets and Geographic Spread
The primary targets of the campaign are gamers in China and Russia, according to Kaspersky's analysis. The geographic choice may reflect language preferences in Workshop listings, availability of localized content, or simply the historical distribution of Wallpaper Engine. The brief documents no political or strategic-economic motivations: no infrastructure overlaps link the operators to known APT groups at this time.
The exact number of victims is not quantified beyond aggregate downloads per wallpaper. "Thousands or tens of thousands" per sample does not mean every download resulted in infection: some users may have removed the content before execution, others may have endpoint protections that blocked the payload. The source provides no download-to-infection conversion rates.
"Since late 2025, malware has been spreading rapidly through the Steam Workshop" — Kaspersky Securelist
What to Do Now
For Wallpaper Engine users, three specific actions reduce the exposure documented by Kaspersky. First: verify the source of every application wallpaper before downloading, preferring content from authors with public track records and established reviews. Second: inspect downloaded files — archives with passwords in the filename or JSON configs requiring manual input are risk indicators directly mapped to the identified evasion technique. Third: monitor active processes for instances of Synaptics.exe, the filename associated with the DarkKomet backdoor detected in analyzed samples.
For endpoint administrators, the campaign highlights a visibility gap: automated sandboxes do not extract passwords from archive metadata. Integrating heuristic rules on filenames and JSON config structures, combined with blocking executables generated by Wallpaper Engine in non-standard paths, reduces the attack surface specific to this vector.
For Valve and the Wallpaper Engine team, the Kaspersky dossier raises a Workshop governance question: the absence of CVEs or applicable patches makes pre-publication moderation the only effective filter. The ~100,000 daily active users generate a content volume that reactive, post-report reviews leave exposed for measurable intervals of days or weeks — sufficient for thousands of downloads per sample.
The Lesson of the Expanded Attack Surface
The campaign documented by Kaspersky illustrates a broader principle: the convergence of "creative" content and executable code has created a threat category that traditional defenses struggle to classify. The application wallpaper is not an app, not a document, not an email attachment: it is a Windows program that the user installs voluntarily, often without perceiving it as such. The burden of verification cannot fall entirely on the end user, but the trust model of UGC platforms is not built for executable content at this granularity.
The "plaintext but invisible" password technique adds a reflective element: attackers study the limits of automated defenses more than software vulnerabilities. The next frontier is not always a zero-day bug; sometimes it is a finer understanding of where the machine stops reading and the human continues.
Information is based on the cited source and current as of publication.