June 22, 2026, 2:44 pm | Read time: 3 minutes
Many users enhance their desktops with animated backgrounds from the Steam Workshop. However, according to security researchers, cybercriminals are currently exploiting this offering for attacks. The focus is on the application Wallpaper Engine. Manipulated wallpaper packages are being used to deliver malware to computers. The goal is, among other things, to access Steam accounts.
Wallpaper Engine Exploited for Malware
The Steam Workshop serves as a platform for user-generated content. Users can download mods, maps, and designs there. Wallpaper Engine is an application for animated backgrounds and surface designs. Most of the offered content is considered unproblematic. However, according to the security firm Kaspersky, attackers are exploiting this trust.
Certain wallpaper packages contain not only graphic elements but can also include executable files. In this way, criminals attempt to introduce malicious code onto Windows systems. The packages initially appear to be ordinary desktop wallpapers.
Malicious Content Activates Only After Installation
According to Kaspersky, dozens of affected wallpaper packages have been discovered. The malware was sometimes found in additional programs, libraries, or scripts. In other cases, attackers hid the malware in password-protected archives. The access data was, for example, embedded in file names. Only after installation was the malware automatically executed in the background.
An example described by Kaspersky dates back to December 2025. There, a wallpaper seemingly launched a small desktop game. Meanwhile, the package stealthily installed a backdoor on the computer. Additionally, components were altered to read Steam login data and take over active sessions. According to researchers, the attacks primarily aim to steal accounts and download additional malware.
Fake Captchas Can Install Malware
Nasty Malware Can Read Screenshots on Smartphones
Anime Content Used as Bait
According to Kaspersky, various malicious programs were used, including well-known info stealers. The security firm believes that more than one group is behind the campaign. Users in China and Russia are particularly affected, but individual cases have also been reported in Germany and other countries.
Also of interest: Steam Machine on the Verge of Launch? Leak Allegedly Shows First Test Devices
The design of the affected content is striking. According to Kaspersky, the dangerous packages advertise with suggestive motifs from the anime sector. In the Steam system, they are marked as “Mature” and thus targeted at adults.
Workshop Content Can Be a Security Risk
According to Kaspersky, the attackers sometimes use social engineering methods. Users are enticed to download the content. At the same time, shame might prevent victims from reporting an incident. The fear of stigmatization could play a role. It has long been an open secret that content from the Workshop can pose a security risk.
According to Kaspersky, the case thus highlights a fundamental risk with Workshop content. It becomes particularly problematic when not only graphics but also applications are downloaded and executed with user-generated packages. In such cases, users unknowingly download and launch malware, even though they expect a different product.