Kaspersky Lab stated that attackers are using wallpaper content from the Steam Workshop to distribute malware. Because these "app wallpapers" can run executable programs directly on Windows computers, users may download data-stealing programs while installing seemingly normal content.

Dozens of infected wallpaper packs were discovered.

Kaspersky Lab stated that researchers have identified dozens of wallpaper packs containing malicious code. The samples involved two common data-stealing trojans, Lumma and Vidar, as well as the RenEngine loader.

These malicious programs are typically used to steal account credentials, browser data, and encrypted wallet information. Researchers believe this campaign was not the work of a single group, but rather multiple attackers simultaneously using similar methods to deliver malicious content.

The main victims are in China and Russia.

According to Kaspersky, the victims are mainly located in China and Russia, with cases also reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.

The company stated that the malicious wallpaper packages are delivered in different ways: some are directly bundled with Trojans, while others hide malicious files in encrypted compressed packages and release them automatically after installation.

Improve dissemination efficiency by using legitimate platforms

Kaspersky mentioned a similar case in 2025: a wallpaper would launch a normal desktop game on the surface, but would secretly install the DarkKomet backdoor program in the background.

Researchers say these attacks rely on users' trust in legitimate platform ecosystems. Attackers don't need to disguise themselves as independent download sites; they can reach a large number of potential victims simply by packaging malicious content as resources from ordinary creative workshops.

In July of this year, cybersecurity company Prodaft also disclosed that the Steam Early Access game Chemia was compromised and used to spread Hijack Loader, Fickle Stealer, and Vidar Stealer, targeting encrypted wallets and user data. Earlier, in March, the FBI announced an investigation into multiple malware programs spread through Steam games, including Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova.