Hackers Abuse Steam Wallpaper Engine to Spread Crypto-Stealing Malware

Cybersecurity researchers at Kaspersky have discovered a campaign where hackers are using Steam's Wallpaper Engine to spread crypto-stealing malware. The attackers created malicious uploads inside Steam Workshop packages, disguising them as ordinary live wallpapers featuring anime-style female characters.

The wallpaper content included executable programs, scripts, and supporting libraries that could launch outside the visible wallpaper experience once users downloaded and opened the package. Researchers found dozens of malicious uploads, with some attracting thousands or tens of thousands of installations before discovery.

The campaign primarily targeted users in China and Russia, although researchers also identified activity in countries including Germany, Canada, Singapore, and Hong Kong. The malicious uploads relied on familiar visual themes rather than obvious cryptocurrency promotions to appear similar to ordinary community-created wallpapers.

Kaspersky said the packages could steal Steam login details and hijack active account sessions. Some also installed infostealers, including Lumma and Vidar, which collect information stored across a computer, including browser passwords, cookies, autofill records, and saved login credentials.