Gamers beware: malicious wallpapers on Steam found stealing accounts
Since late 2025, malicious wallpapers distributed via Wallpaper Engine on Steam Workshop have been used to deliver various malware types, including infostealers, backdoors, crypto miners, and ransomware. These wallpapers embed malicious code targeting primarily Chinese and Russian gamers. One sample deployed the DarkKomet backdoor to hijack Steam sessions and steal account credentials by modifying system libraries to locate Steam installations and exfiltrate data. Compromised accounts were then used to upload additional malicious wallpapers, indicating a self-propagating infection cycle. Thousands of downloads occurred before removal, with 89% of infections reported in China.
AI Analysis
Technical Summary
Cybercriminals have exploited Wallpaper Engine, a live wallpaper application on Steam, to distribute malware through Steam Workshop since late 2025. Attackers embed malicious code within wallpapers that deliver multiple malware families such as infostealers, backdoors (including DarkKomet), crypto miners, and ransomware. The malware modifies system libraries to identify Steam installations and exfiltrate user credentials and data to attacker-controlled servers. Hijacked Steam accounts are subsequently used to upload further malicious wallpapers, facilitating ongoing distribution. The presence of diverse malware families suggests multiple independent threat actors are leveraging this method. The majority of infections (89%) have occurred in China, with additional infections in Russia and other countries. Thousands of users downloaded infected wallpapers before their removal from the platform.
Potential Impact
The malware compromises user systems by stealing Steam account credentials and other sensitive data, enabling attackers to hijack accounts and propagate further malware via Steam Workshop. Infection can lead to unauthorized access to gaming accounts, potential financial loss, and exposure to additional malware such as ransomware and crypto miners. The modification of system libraries to locate Steam installations facilitates stealthy data exfiltration. The widespread infection, especially in China, indicates significant risk to users of Wallpaper Engine on Steam.
Mitigation Recommendations
No official patch or fix is available as this is a malware distribution campaign exploiting user-generated content. Users should avoid downloading wallpapers from untrusted or unknown sources on Steam Workshop. Steam users should enable multi-factor authentication (MFA) on their accounts to reduce the impact of credential theft. Regularly review and remove suspicious wallpapers and monitor account activity for unauthorized access. Steam and Wallpaper Engine users should keep their software updated and follow vendor guidance. Since this is a distribution method abuse rather than a software vulnerability, remediation depends on user vigilance and platform content moderation. Check Steam and Wallpaper Engine advisories for any updates or mitigation recommendations.
Affected Countries
British Indian Ocean Territory, Canada, China, Germany, Hong Kong, India, Russia, Singapore
Indicators of Compromise
- url: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
- url: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
- hash: fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67
- hash: 18dedc0009f0927cba6425c84cce9883
- hash: 5620f01284329f561b1839a36be55355
- hash: 74414ed4b63aadec039b603c32762b80
- hash: 8c2cc585ad8a13a72a704c0fda0c9854
- hash: 95856f2ce428c728d9781d3296558068
- hash: c133c3dd9f7d6934598025047df41abf
- hash: ded08ae5df7f1b12e5fdb767dbbed0b1
- hash: 59868381885b33f6c8809cd3d945da7d167439a3
- ip: 120.48.156.17
- url: http://202.144.192.29/download2/Themes2.zip
- ip: 202.144.192.29
- url: http://202.144.192.29/audit.php
- url: http://brightly.to/download2/Themes2.zip
Gamers beware: malicious wallpapers on Steam found stealing accounts
Description
Since late 2025, malicious wallpapers distributed via Wallpaper Engine on Steam Workshop have been used to deliver various malware types, including infostealers, backdoors, crypto miners, and ransomware. These wallpapers embed malicious code targeting primarily Chinese and Russian gamers. One sample deployed the DarkKomet backdoor to hijack Steam sessions and steal account credentials by modifying system libraries to locate Steam installations and exfiltrate data. Compromised accounts were then used to upload additional malicious wallpapers, indicating a self-propagating infection cycle. Thousands of downloads occurred before removal, with 89% of infections reported in China.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cybercriminals have exploited Wallpaper Engine, a live wallpaper application on Steam, to distribute malware through Steam Workshop since late 2025. Attackers embed malicious code within wallpapers that deliver multiple malware families such as infostealers, backdoors (including DarkKomet), crypto miners, and ransomware. The malware modifies system libraries to identify Steam installations and exfiltrate user credentials and data to attacker-controlled servers. Hijacked Steam accounts are subsequently used to upload further malicious wallpapers, facilitating ongoing distribution. The presence of diverse malware families suggests multiple independent threat actors are leveraging this method. The majority of infections (89%) have occurred in China, with additional infections in Russia and other countries. Thousands of users downloaded infected wallpapers before their removal from the platform.
Potential Impact
The malware compromises user systems by stealing Steam account credentials and other sensitive data, enabling attackers to hijack accounts and propagate further malware via Steam Workshop. Infection can lead to unauthorized access to gaming accounts, potential financial loss, and exposure to additional malware such as ransomware and crypto miners. The modification of system libraries to locate Steam installations facilitates stealthy data exfiltration. The widespread infection, especially in China, indicates significant risk to users of Wallpaper Engine on Steam.
Mitigation Recommendations
No official patch or fix is available as this is a malware distribution campaign exploiting user-generated content. Users should avoid downloading wallpapers from untrusted or unknown sources on Steam Workshop. Steam users should enable multi-factor authentication (MFA) on their accounts to reduce the impact of credential theft. Regularly review and remove suspicious wallpapers and monitor account activity for unauthorized access. Steam and Wallpaper Engine users should keep their software updated and follow vendor guidance. Since this is a distribution method abuse rather than a software vulnerability, remediation depends on user vigilance and platform content moderation. Check Steam and Wallpaper Engine advisories for any updates or mitigation recommendations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/"]
- Adversary
- null
- Pulse Id
- 6a311c5582f3c51d5631d979
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 | — | |
urlhttps://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download | — | |
urlhttp://202.144.192.29/download2/Themes2.zip | — | |
urlhttp://202.144.192.29/audit.php | — | |
urlhttp://brightly.to/download2/Themes2.zip | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67 | — | |
hash18dedc0009f0927cba6425c84cce9883 | — | |
hash5620f01284329f561b1839a36be55355 | — | |
hash74414ed4b63aadec039b603c32762b80 | — | |
hash8c2cc585ad8a13a72a704c0fda0c9854 | — | |
hash95856f2ce428c728d9781d3296558068 | — | |
hashc133c3dd9f7d6934598025047df41abf | — | |
hashded08ae5df7f1b12e5fdb767dbbed0b1 | — | |
hash59868381885b33f6c8809cd3d945da7d167439a3 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip120.48.156.17 | — | |
ip202.144.192.29 | CC=JP ASN=AS63916 iptelecom global |
Threat ID: 6a3133cd0b89be68889d53c1
Added to database: 6/16/2026, 11:30:21 AM
Last enriched: 6/16/2026, 11:45:38 AM
Last updated: 6/16/2026, 12:40:16 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.