Researchers at Kaspersky have identified that threat actors are exploiting the Wallpaper Engine application on Steam by uploading malicious wallpaper packages to the Steam Workshop. Wallpaper Engine supports application wallpapers that are executable Windows applications set as desktop backgrounds. Attackers embed malware payloads directly or within password-protected archives that execute automatically upon wallpaper installation. Malware families observed include DarkKomet backdoors, Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and ransomware. The malicious wallpapers have been downloaded thousands of times before detection. Valve has removed known malicious wallpapers but the risk persists due to the platform's design and ongoing submissions.

Successful installation of malicious wallpapers can lead to system compromise through backdoors, theft of Steam account credentials, unauthorized cryptocurrency mining, botnet participation, and ransomware infection. This impacts user privacy, system integrity, and potentially financial assets linked to Steam accounts or cryptocurrency wallets. The threat exploits a legitimate feature of Wallpaper Engine, increasing the risk of user deception and widespread infection.

Valve has removed the known malicious wallpapers identified by researchers. Users should only download wallpapers from trusted sources on Steam Workshop and scan all downloaded content with up-to-date antivirus software before installation. There is no official patch for Wallpaper Engine's application wallpaper feature; users should exercise caution and consider disabling or avoiding application-type wallpapers. Monitor vendor advisories for updates on remediation or additional protective measures.