Threat actors are actively abusing Steam Workshop, Valve's community-driven platform for sharing game mods and content, to deliver malware hidden inside wallpaper packages for the Wallpaper Engine application. Wallpaper Engine is a popular tool that allows users to display animated and interactive wallpapers, with its Workshop integration enabling seamless content sharing.
Attackers are uploading seemingly harmless wallpaper files that, upon download and execution, install malicious payloads on victims' systems. While the exact number of affected users remains unclear, the widespread popularity of Wallpaper Engine — with millions of active installations — suggests the potential for significant impact. The malware variants observed include info-stealers, remote access trojans (RATs), and cryptocurrency miners.
The attack vector relies on users downloading wallpapers from Steam Workshop, where the malicious content is disguised as legitimate animated backgrounds. Once activated, the malware can steal credentials, capture screenshots, or hijack system resources for cryptomining. Indicators of compromise include unexpected network traffic, abnormal CPU usage, and unauthorized file modifications.
Valve has not yet issued an official statement regarding the abuse of Steam Workshop for this campaign. Security researchers recommend that users only download wallpaper packages from trusted creators with verified reputations, and to scan downloaded files with antivirus software before execution. Steam's moderation systems have historically struggled to keep pace with rapidly uploaded malicious content, making user vigilance critical.
The BleepingComputer report, published two hours ago, provides the only known documentation of this campaign. No other sources have independently verified the details, so readers should treat the scope and attribution with caution. The threat landscape continues to exploit entertainment platforms as vectors, underscoring the need for platform-level content scanning improvements.