Your anime girl wallpapers from Wallpaper Engine might be filled with malware

If you’ve been using the popular Wallpaper Engine app via Steam and Steam Workshop to customise your gaming PC’s look, do be warned. Cybersecurity firm Kaspersky has uncovered a malware distribution campaign that abuses Steam Workshop and Wallpaper Engine to infect gamers with information-stealing malware and backdoors.

According to Kaspersky, attackers have been disguising malware as desktop wallpapers distributed through Steam Workshop, a platform that allows users to download community-created content. The campaign primarily targeted users in China and Russia, although victims were also identified in Singapore, Hong Kong, Germany, Vietnam, India and Canada.

For context, Wallpaper Engine is one of Steam’s most popular apps, allowing users to create and share animated desktop wallpapers using the Steam Workshop. It supports several wallpaper formats, including videos, interactive scenes, web pages and even standalone applications.

The latter capability appears to be what attackers exploited. Since application-based wallpapers can execute programs directly on a Windows PC, threat actors were able to bundle malware with seemingly harmless wallpaper downloads. Kaspersky researchers said they identified dozens of malicious wallpaper packages on Steam Workshop, with some accumulating thousands or even tens of thousands of downloads before being discovered.

Researchers observed two main infection methods. In some cases, malicious executable files, DLLs and scripts were included directly inside wallpaper packages. In other instances, attackers concealed malware within password-protected archives. The passwords were often embedded in archive names or configuration files, allowing the malicious payload to be extracted and executed automatically after installation.

One example highlighted by Kaspersky involved a wallpaper package discovered in December 2025. While it appeared to launch a legitimate desktop game, it simultaneously installed the DarkKomet backdoor in the background. The malware also deployed a modified library designed specifically to target Steam users by harvesting account information and hijacking active Steam sessions.

The primary objective of the hackers seemed to be to gain access into users’ Steam accounts and deploying additional malware onto compromised systems.

Kaspersky believes the campaign was carried out by multiple independent threat actors rather than a single cybercriminal group. The infected wallpapers were found distributing several well-known malware families, such as the aforementioned DarkKomet backdoor, the RenEngine loader as well as the Lumma and Vidar infostealer.

At time of writing, the guys at Valve had already scrubbed the wallpapers that contained malware, but nevertheless if you suspect that you could’ve fallen foul it’s best you do a deep scan of your system first. For more information on the malware and how these bad actors used Wallpaper Engine to spread it, you can click here to see Kaspersky’s full threat report.

Read more of our articles below!