CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions

Cybersecurity News Archived Jun 17, 2026 ✓ Full text saved

Threat actors have been abusing Valve’s Steam Workshop since late 2025, embedding malware inside Wallpaper Engine application wallpapers to hijack active Steam sessions and infect victims with backdoors, infostealers, and crypto miners, with 89% of targets located in China, according to a new Kaspersky report. Wallpaper Engine is a hugely popular Steam application that lets […] The post Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions appeared first on Cyber Se

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Software Cybersecurity news subscription Cybersecurity training courses HomeCyber Security Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions By Guru Baran June 17, 2026 Threat actors have been abusing Valve’s Steam Workshop since late 2025, embedding malware inside Wallpaper Engine application wallpapers to hijack active Steam sessions and infect victims with backdoors, infostealers, and crypto miners, with 89% of targets located in China, according to a new Kaspersky report. Wallpaper Engine is a hugely popular Steam application that lets users set animated, interactive wallpapers on their Windows desktops. With nearly one million reviews and approximately 100,000 daily active users, it presents an enormous attack surface. The app supports several wallpaper types, videos, scenes, web pages, and application wallpapers, and that last category is what attackers zeroed in on. Application wallpapers are essentially standalone executables that run as the user’s desktop background, meaning launching one is no different from running an arbitrary program on your system. Since anyone can publish content to Steam Workshop for free, attackers simply uploaded weaponized wallpapers disguised as games, widgets, and desktop tools. Kaspersky researchers discovered dozens of such malicious wallpapers, each already downloaded thousands — or even tens of thousands of times before detection. Hackers Abuse Steam Workshop Attackers used two primary distribution methods. In the first, the wallpaper archive bundled malicious executables, DLLs, or scripts alongside the visible application. In the second, malware was concealed inside a password-protected archive; either the victim was tricked into entering the password manually, or a script extracted it automatically from the archive’s filename or a bundled JSON configuration file. Once a victim launches the infected wallpaper, the attack executes silently and immediately. The wallpaper drops Synaptics.exe, a backdoor belonging to the DarkKomet remote access trojan family, into C:\ProgramData\Synaptics\. Attack Flow (Source: Kaspersky) Simultaneously, a secondary executable named ._cache_GAME1.exe launches to load the visible game (NTRaholic) — maintaining the illusion of a legitimate wallpaper while installing a patched version of AggregatorHost.dll loaded with a malicious payload. This tampered system library then hunts for the Steam client on the host machine and hijacks the user’s active session. Stolen session data is subsequently exfiltrated to an attacker-controlled command-and-control server at hxxp://120.48.156[.]17/ey.php. With a live session captured, the attackers gain full account access and can upload additional malicious wallpapers directly to Steam Workshop, perpetuating the infection cycle. Beyond DarkKomet, Kaspersky’s investigation identified a wide range of payloads including Lumma and Vidar infostealers, the RenEngine loader, ransomware droppers, and botnet loaders. The diversity of tools suggests multiple independent threat groups are leveraging the same technique rather than a single coordinated actor. Key Kaspersky detection verdicts include: HEUR:Trojan-PSW.Win32.gen HEUR:Backdoor.Win32.DarkKomet Trojan-Dropper.Python.Agent HEUR:Trojan-Ransom.Win32.Gen.gen PDM:Trojan.Win32.Generic China accounts for 89% of malicious download attempts, with wallpaper art styles and titles explicitly tailored to Chinese-speaking users. Russia follows at 5.5%, with Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%) rounding out the victim pool. Researchers warn the campaign’s template could easily be redirected at any global audience. Mitigation Valve has removed all identified malicious wallpapers following Kaspersky’s disclosure, but researchers stress that new uploads continue to appear. Users should: Avoid application-type wallpapers from unknown or unverified creators on Steam Workshop Scan all downloaded Workshop content with an up-to-date antivirus before applying Enable Steam Guard and two-factor authentication to limit session hijack impact Monitor system processes for unexpected executables like Synaptics.exe or unsigned DLLs loading from ProgramData Since Steam Workshop lacks per-upload code review, the platform’s trust model remains exploitable — and the burden of verification falls squarely on the end user. CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits Microsoft Site Showing Warning Following Certificate Expiry Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters Latest News Cyber Security News Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees AI Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities Cyber Security News Using Real-Time Network Monitoring to Spot Suspicious Application Behavior on macOS Cyber Security News UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data Cyber Security News New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗