WTF?! According to Kaspersky, cybercriminals have been targeting Steam users with a sustained malware campaign since 2025, distributing malicious software disguised as desktop wallpapers. The attack hijacked the accounts of gamers using Steam’s live wallpaper application Wallpaper Engine, which ranks among the platform’s most popular non-game downloads.
The attack reportedly abused Wallpaper Engine’s “Application Wallpaper” executable, which runs as a standalone Windows program and can include community-developed games, planners, calendars, system monitors, and other widgets. However, because the app allows unverified third-party code to run on users’ systems, it can be abused by threat actors to target unsuspecting users.
The researchers found that the attackers used two primary methods to distribute malware. The first involved archives containing the executable wallpaper alongside a malicious payload, typically including compromised .exe files, DLLs, or scripts. The malware was also frequently concealed within password-protected archives and executed automatically when the wallpaper was applied.
Once applied, the infected executables stole users’ account credentials, hijacked live sessions, and transmitted the stolen data to servers controlled by the attackers. The researchers discovered dozens of malicious application wallpapers on Steam Workshop, some of which were downloaded tens of thousands of times.
To test the attackers’ modus operandi, the researchers launched a wallpaper containing a malicious game called NTRaholic, which ran “flawlessly.” The gameplay and controls worked as advertised, raising no suspicion at first glance. However, unbeknownst to the user, the wallpaper dropped a backdoor called Synaptics.exe, part of the notorious DarkKomet malware family.
The executable that launched the game was named ._cache_GAME1.exe, but it also installed a system library called AggregatorHost.dll, which contained a malicious payload designed to steal user data and transmit it to the attackers’ command-and-control server. Once the attackers gained control of the active session, they used the compromised account to upload additional malicious wallpapers to Steam Workshop.
The campaign primarily targeted gamers in China, who accounted for 89% of the compromised downloads. Users in Germany, Canada, Russia, Singapore, Hong Kong, Vietnam, and India were also affected, though in much smaller numbers. Steam has since removed all of the malicious wallpapers, but Kaspersky is still urging users to run antivirus scans before applying wallpapers that include built-in executables.
Source: www.techspot.com
