Home > Security > Security News

Malicious Steam Workshop Wallpapers Hijack Accounts via Wallpaper Engine, Distribute DarkKomet, Lumma, Vidar, and RenEngine

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Steam Gaming Account Takeover - Wallpaper Engine - Downloads - Malware
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Steam Workshop: Researchers found dozens of malicious wallpapers on Steam Workshop that exploit Wallpaper Engine.
  • Malware Mix: Payloads include DarkKomet, Lumma and Vidar infostealers, and RenEngine.
  • Top Targets: Gamers in China have accounted for most detections, with the campaign ongoing since at least August 2025.

Dozens of malicious application wallpapers on Steam Workshop, the gaming platform's built-in service for sharing custom content, have been uncovered. The attackers abuse Wallpaper Engine, a popular live wallpaper app, to hijack accounts and infect systems, predominantly those of gamers in China, with the DarkKomet backdoor, the Lumma and Vidar infostealers, and the RenEngine loader. 

Wallpaper Engine supports several wallpaper types, including "application wallpapers," essentially standalone programs that can run foreign code directly on a user's computer. A June 17 update confirmed the malicious wallpapers were present as early as August 2025.

How the Steam Workshop Attack Works

Cybercriminals embedded malware into these wallpapers and published them for free, Kaspersky researchers have uncovered. Each malicious wallpaper had already been downloaded thousands, or even tens of thousands, of times.

How the malware deploys | Source: Kaspersky
How the malware deploys | Source: Kaspersky

In one sample, launching the wallpaper drops a backdoor file called Synaptics.exe, part of the DarkKomet malware family. At the same time, an executable named ._cache_GAME1.exe boots the actual game, NTRaholic, while installing a modified system library, AggregatorHost.dll.

This library hunts for the Steam app, hijacks the user's live session, and sends collected data to an attacker-controlled server. With control of the session, attackers can upload more malicious wallpapers to Steam Workshop.

Malicious app wallpaper downloads by region | Source: Kaspersky
Malicious app wallpaper downloads by region | Source: Kaspersky

Kaspersky caught familiar threats, including the DarkKomet backdoor, the Lumma and Vidar infostealers, and the RenEngine loader. 

Malware Victims

The diversity suggests multiple independent groups. Gamers in China made up 89% of malicious download attempts, with Russia second at 5.5%. By the time the report went live, Steam had removed the identified wallpapers and links.

 A Hudson Rock report from early this year said that dozens of global companies were breached via infostealer credentials.

Lumma Stealer was among the top threats in 2025, with Lumma operators disabling the IDRAC tool and returning access to the twice-formatted servers by law enforcement. The same year, TikTok AI-generated videos distributed Vidar and StealC, and trojanized npm packages delivered Vidar

In February 2025, 20 million leaked OpenAI accounts were put up for sale, possibly linked to the Redline, StealC, Lumma, and Vidar infostealers, and a Trojan-infected Steam game was removed by Valve.

Add a Comment
Related
Australian Clinical Labs Reports SunDoctors Data Breach Potentially Affecting 280,000 Individuals
FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
Malicious JetBrains Plugins Steal OpenAI, DeepSeek, SiliconFlow API Keys, Malicious Chrome Extensions Capture Chatbot Chats
Kodak Confirms Data Breach Following ShinyHunters Claims of 2.2 Million Records Theft
Microsoft Teams Logo
DragonForce Exploits Microsoft Teams Relays via Backdoor.Turn
football stadium
FIFA World Cup API Authorization Bug Let Anyone Hijack the Live TV Stream
Most Popular
Australian Clinical Labs Reports SunDoctors Data Breach Potentially Affecting 280,000 Individuals
FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
IPVanish Incognito Mode Adds Privacy Controls on Desktop
IPVanish Introduces Incognito Mode for Threat Protection Pro on Windows and Mac
Devil In The Details: Housing Deeper Telemetry to Spot Agentic AI Risks from Hallucinated Inputs, to Tool Calls Starting with a Prompt
Surfshark's Dausos VPN Protocol Update Improves Restricted Access
Surfshark Upgrades Dausos VPN Protocol to Improve Connections on Restricted Networks
Malicious JetBrains Plugins Steal OpenAI, DeepSeek, SiliconFlow API Keys, Malicious Chrome Extensions Capture Chatbot Chats
Australian Clinical Labs Reports SunDoctors Data Breach Potentially Affecting 280,000 Individuals
FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
IPVanish Introduces Incognito Mode for Threat Protection Pro on Windows and Mac
Devil In The Details: Housing Deeper Telemetry to Spot Agentic AI Risks from Hallucinated Inputs, to Tool Calls Starting with a Prompt
Surfshark Upgrades Dausos VPN Protocol to Improve Connections on Restricted Networks
Malicious JetBrains Plugins Steal OpenAI, DeepSeek, SiliconFlow API Keys, Malicious Chrome Extensions Capture Chatbot Chats

Most Popular
Australian Clinical Labs Reports SunDoctors Data Breach Potentially Affecting 280,000 Individuals
FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
IPVanish Incognito Mode Adds Privacy Controls on Desktop
IPVanish Introduces Incognito Mode for Threat Protection Pro on Windows and Mac
Devil In The Details: Housing Deeper Telemetry to Spot Agentic AI Risks from Hallucinated Inputs, to Tool Calls Starting with a Prompt
Surfshark's Dausos VPN Protocol Update Improves Restricted Access
Surfshark Upgrades Dausos VPN Protocol to Improve Connections on Restricted Networks
Malicious JetBrains Plugins Steal OpenAI, DeepSeek, SiliconFlow API Keys, Malicious Chrome Extensions Capture Chatbot Chats
Australian Clinical Labs Reports SunDoctors Data Breach Potentially Affecting 280,000 Individuals
FortiBleed: Hackers Compromise Tens of Thousands of Fortinet Firewalls and VPNs, Reportedly Impacting Comcast, Lenovo, Oracle, More
IPVanish Introduces Incognito Mode for Threat Protection Pro on Windows and Mac
Devil In The Details: Housing Deeper Telemetry to Spot Agentic AI Risks from Hallucinated Inputs, to Tool Calls Starting with a Prompt
Surfshark Upgrades Dausos VPN Protocol to Improve Connections on Restricted Networks
Malicious JetBrains Plugins Steal OpenAI, DeepSeek, SiliconFlow API Keys, Malicious Chrome Extensions Capture Chatbot Chats

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: