Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions
Cybersecurity NewsArchived Jun 17, 2026✓ Full text saved
Threat actors have been abusing Valve’s Steam Workshop since late 2025, embedding malware inside Wallpaper Engine application wallpapers to hijack active Steam sessions and infect victims with backdoors, infostealers, and crypto miners, with 89% of targets located in China, according to a new Kaspersky report. Wallpaper Engine is a hugely popular Steam application that lets […] The post Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions appeared first on Cyber Se
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Software
Cybersecurity news subscription
Cybersecurity training courses
HomeCyber Security
Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions
By Guru Baran
June 17, 2026
Threat actors have been abusing Valve’s Steam Workshop since late 2025, embedding malware inside Wallpaper Engine application wallpapers to hijack active Steam sessions and infect victims with backdoors, infostealers, and crypto miners, with 89% of targets located in China, according to a new Kaspersky report.
Wallpaper Engine is a hugely popular Steam application that lets users set animated, interactive wallpapers on their Windows desktops. With nearly one million reviews and approximately 100,000 daily active users, it presents an enormous attack surface.
The app supports several wallpaper types, videos, scenes, web pages, and application wallpapers, and that last category is what attackers zeroed in on. Application wallpapers are essentially standalone executables that run as the user’s desktop background, meaning launching one is no different from running an arbitrary program on your system.
Since anyone can publish content to Steam Workshop for free, attackers simply uploaded weaponized wallpapers disguised as games, widgets, and desktop tools. Kaspersky researchers discovered dozens of such malicious wallpapers, each already downloaded thousands — or even tens of thousands of times before detection.
Hackers Abuse Steam Workshop
Attackers used two primary distribution methods. In the first, the wallpaper archive bundled malicious executables, DLLs, or scripts alongside the visible application.
In the second, malware was concealed inside a password-protected archive; either the victim was tricked into entering the password manually, or a script extracted it automatically from the archive’s filename or a bundled JSON configuration file.
Once a victim launches the infected wallpaper, the attack executes silently and immediately. The wallpaper drops Synaptics.exe, a backdoor belonging to the DarkKomet remote access trojan family, into C:\ProgramData\Synaptics\.
Attack Flow (Source: Kaspersky)
Simultaneously, a secondary executable named ._cache_GAME1.exe launches to load the visible game (NTRaholic) — maintaining the illusion of a legitimate wallpaper while installing a patched version of AggregatorHost.dll loaded with a malicious payload.
This tampered system library then hunts for the Steam client on the host machine and hijacks the user’s active session. Stolen session data is subsequently exfiltrated to an attacker-controlled command-and-control server at hxxp://120.48.156[.]17/ey.php.
With a live session captured, the attackers gain full account access and can upload additional malicious wallpapers directly to Steam Workshop, perpetuating the infection cycle.
Beyond DarkKomet, Kaspersky’s investigation identified a wide range of payloads including Lumma and Vidar infostealers, the RenEngine loader, ransomware droppers, and botnet loaders.
The diversity of tools suggests multiple independent threat groups are leveraging the same technique rather than a single coordinated actor. Key Kaspersky detection verdicts include:
HEUR:Trojan-PSW.Win32.gen
HEUR:Backdoor.Win32.DarkKomet
Trojan-Dropper.Python.Agent
HEUR:Trojan-Ransom.Win32.Gen.gen
PDM:Trojan.Win32.Generic
China accounts for 89% of malicious download attempts, with wallpaper art styles and titles explicitly tailored to Chinese-speaking users. Russia follows at 5.5%, with Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%) rounding out the victim pool. Researchers warn the campaign’s template could easily be redirected at any global audience.
Mitigation
Valve has removed all identified malicious wallpapers following Kaspersky’s disclosure, but researchers stress that new uploads continue to appear. Users should:
Avoid application-type wallpapers from unknown or unverified creators on Steam Workshop
Scan all downloaded Workshop content with an up-to-date antivirus before applying
Enable Steam Guard and two-factor authentication to limit session hijack impact
Monitor system processes for unexpected executables like Synaptics.exe or unsigned DLLs loading from ProgramData
Since Steam Workshop lacks per-upload code review, the platform’s trust model remains exploitable — and the burden of verification falls squarely on the end user.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices
Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits
Microsoft Site Showing Warning Following Certificate Expiry
Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation
Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
Latest News
Cyber Security News
Deno-Based RAT Uses Microsoft Teams Impersonation and Mailbombing to Target Employees
AI
Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities
Cyber Security News
Using Real-Time Network Monitoring to Spot Suspicious Application Behavior on macOS
Cyber Security News
UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data
Cyber Security News
New OnionDrop Loader Campaign Uses gainmsg C2 to Deliver LegionLoader Payloads