Cybersecurity specialists have uncovered a new large-scale scheme for distributing malware through Steam. Researchers at Kaspersky reported that attackers used Steam Workshop to distribute infected wallpapers for the popular Wallpaper Engine application. At first glance, these files appeared to be ordinary animated desktop wallpapers, but once installed they could silently infect a user’s computer.
Wallpapers featuring anime characters, especially anime girls, became particularly popular among the attackers. Such content traditionally attracts a large number of downloads on Steam Workshop. According to the researchers, some of the infected wallpapers accumulated thousands, and in some cases even tens of thousands, of downloads before they were discovered.
The main issue lies in the way Wallpaper Engine works. Unlike ordinary static images, the application allows fully executable programs to run directly on a user’s computer. This is exactly what the attackers exploited. Instead of harmless animations, they embedded malicious code inside the wallpapers, which executed almost unnoticed by the computer’s owner.
In many cases, the malware was carefully disguised. Some malicious programs were hidden inside protected archives, while others were launched through ordinary Windows executable files without raising users’ suspicions. On the surface, the wallpapers functioned normally, continuing to display animations while the system was being infected in the background.
The analysis showed that the attackers distributed several well-known malware families simultaneously. These included Lumma and Vidar – two of the most popular information stealers in recent years – as well as the RenEngine loader.
Lumma and Vidar are well known to cybersecurity professionals. Their primary purpose is to steal confidential information from infected computers. Once inside a system, they can steal usernames and passwords, cookies, bank card data, browser information, password manager contents, gaming service accounts, and cryptocurrency wallet data.
Owners of digital assets are of particular interest to cybercriminals. Modern infostealers can automatically search computers for popular cryptocurrency wallets, including browser extensions and desktop applications. If a user stores seed phrases, private keys, or wallet backups as text files, documents, or screenshots, the malware can also locate them and send them to the attackers.
In addition to cryptocurrency, gaming accounts are also at risk. The malware can steal Steam account credentials, allowing criminals to gain access to game libraries, in-game items, or valuable inventories.
According to Kaspersky, the campaign is most likely being carried out by several different threat groups rather than a single organized team. This suggests that the attack method has already become popular among cybercriminals and is likely to become even more widespread.
Experts remind users that Steam Workshop has traditionally been considered a relatively safe platform thanks to its moderation system. However, it is impossible to completely eliminate malicious content. Users should be especially cautious when downloading mods, add-ons, and wallpapers from unknown authors that require launching additional files or programs.
To reduce the risk of infection, specialists recommend downloading wallpapers and modifications only from trusted sources, keeping antivirus software up to date, and regularly updating the operating system. Cryptocurrency holders are advised to use hardware wallets or store digital assets in services protected by mandatory two-factor authentication. Seed phrases and private keys should never be stored on a computer as text files, documents, or screenshots. Instead, they should be kept offline on paper or on specialized metal backup plates.
This incident serves as another reminder that modern cybercriminals increasingly use familiar platforms to distribute malware. Even seemingly harmless animated wallpapers can become tools for stealing accounts, passwords, and cryptocurrency assets. For attackers, this approach is especially effective: the more popular the content and the less suspicious it appears, the greater the chance that users will voluntarily install malicious software on their own computers.
Based on materials from Decrypt.
All content provided on this website (https://wildinwest.com/) -including attachments, links, or referenced materials — is for informative and entertainment purposes only and should not be considered as financial advice. Third-party materials remain the property of their respective owners.