Trojanized Wallpapers: How Attackers are Weaponizing Steam Workshop via Wallpaper Engine
A sophisticated cyberattack campaign has been identified leveraging the Steam Workshop’s community-driven sharing model to distribute a diverse array of malware. By embedding backdoors, infostealers, and cryptominers within Wallpaper Engine packages, threat actors have successfully targeted gamers, with a primary focus on users in China and Russia.
The campaign specifically exploits a unique feature of Wallpaper Engine: “application” wallpapers. Unlike standard video or image backgrounds, these are essentially standalone executables designed to run as interactive, animated desktop environments. This functionality allows attackers to execute arbitrary code the moment a user applies a compromised wallpaper, effectively turning a personalization tool into a primary infection vector.
Because Wallpaper Engine enjoys a massive user base and sits behind the high-trust ecosystem of the Steam Workshop, it provides an ideal distribution channel for attackers looking to achieve widespread infection and account takeover with minimal friction.
The Mechanics of the Attack
Wallpaper Engine is a versatile application that supports various background types, including video, scene, web, and application-based content. While the latter offers great customization, it presents a significant security risk because it permits full Windows executables to run under the user’s context.
According to a technical report by Kaspersky, threat actors are packaging trojanized application wallpapers and publishing them to the Workshop. These malicious files often appear legitimate to the casual observer. In many instances, the payloads are hidden within password-protected archives, with the decryption keys embedded directly in filenames or configuration JSON files. This allows an automated installer script to extract the malware silently without triggering user suspicion.
Once the “wallpaper” is active, the user sees a functioning, high-quality animated background or UI. Meanwhile, in the background, the malicious code executes its payload stealthily.
Multi-Stage Malware Deployment
Technical analysis of several samples reveals a consistent, multi-stage execution pattern:
- Initial Execution: The application wallpaper drops a backdoor binary (e.g.,
Synaptics.exe, which has been linked to the DarkKomet family). - Secondary Module: The process launches a secondary module, such as
._cache_GAME1.exe. - Persistence & Payload: This module installs a tampered system library, specifically
AggregatorHost.dll, which contains the core credential-harvesting payload.
This modified library is designed to scan for active Steam sessions. Once found, it hijacks the session by harvesting authentication data and session tokens. This allows attackers to bypass multi-factor authentication (MFA) and take full control of the user’s Steam account.
The stolen credentials are exfiltrated to attacker-controlled Command and Control (C2) infrastructure. One documented endpoint used in this investigation is hxxp://120.48.156[.]17/ey.php. Once an account is compromised, the adversary can use that legitimate profile to upload even more malicious content to the Workshop, creating a self-sustaining cycle of infection.
Threat Landscape and Targeting
The variety of payloads discovered suggests this is not a single-purpose operation but a broad toolkit distributed by multiple actors. Detected malware includes:
- Infostealers: Such as Vidar and Lumma for harvesting sensitive data.
- Backdoors: Specifically the DarkKomet family.
- Other Threats: Python-based trojans, droppers, cryptominers, and even ransomware variants.
Geographic telemetry reveals a heavy concentration of victims in China (89%), followed by Russia (5.5%). Smaller clusters have been noted in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. The use of localized artwork and Chinese-language titles suggests a highly deliberate targeting strategy for the Asian market.
Mitigation and Defense Strategies
While Steam has taken steps to remove identified malicious items, the creative nature of these attacks highlights the difficulty of moderating massive, community-driven platforms. To protect your system, consider the following defensive measures:
- Restrict Wallpaper Types: If possible, avoid using “application” type wallpapers in Wallpaper Engine.
- Permission Management: Limit the permissions granted to third-party applications within your OS.
- Vetting Content: Exercise extreme caution when installing Workshop items from unknown or unverified creators.
- Endpoint Protection: Ensure your antivirus/EDR is active. Security vendors have already flagged these samples with signatures such as
HEUR:Trojan-PSW.Win32.genandHEUR:Backdoor.Win32.DarkKomet.
Indicators of Compromise (IoCs)
| MD5 Hash | Command & Control (C2) Servers |
|---|---|
| 95856f2ce428c728d9781d3296558068 | http://202.144.192[.]29 |
| af080780cca2acd1d082ce01e7cc346a | http://202.144.192[.]29/audit.php |
| c133c3dd9f7d6934598025047df41abf | http://202.144.192[.]29/download2/Themes2.zip |
| d1693bbff456ae8fa3360446706df6da | http://120.48.156[.]17 |
| 8c2cc585ad8a13a72a704c0fda0c9854 | http://120.48.156[.]17/ey.php?ka=user1&id |
| b9fa763a53da3eea742d0f3c845a8c09 | http://brightly[.]to |
| ded08ae5df7f1b12e5fdb767dbbed0b1 | http://brightly[.]to/download2/Themes2.zip |
| 20965254e29104986e11939decd39549 | https://www.dropbox[.]com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 |
| 18dedc0009f0927cba6425c84cce9883 | https://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental execution. Re-fang only within controlled threat intelligence platforms.