Overview
- Kaspersky reported Tuesday that researchers found dozens of malicious Wallpaper Engine ‘application’ packages uploaded to Steam Workshop and in use since late 2025.
- The infected packages run as standalone Windows programs and delivered a range of payloads including DarkKomet backdoors, infostealers, miners, loaders, and ransomware.
- Attackers used two main tricks: bundling malicious EXE/DLL/script files inside wallpaper packages and hiding payloads in password‑protected archives with passwords exposed in filenames or config files.
- One tested sample dropped a DarkKomet executable and a tampered AggregatorHost.dll that harvested Steam credentials and sent them to a command‑and‑control server, allowing hijacked sessions to be used to reupload more malware.
- Steam removed the items flagged by Kaspersky but researchers say new uploads are likely to reappear and advise users to download only from trusted creators, run up‑to‑date antivirus scans on Workshop content, and change compromised account credentials.