Kaspersky's Global Research and Analysis Team (GReAT) researchers have documented dozens of malware laced animated wallpapers hiding on Steam Workshop, the user made content marketplace for the popular animated desktop app Wallpaper Engine, since late 2025, with most of them…
The animation engine that lets PC gamers turn their desktops into looping scenes, browser panels, and live web pages is, by design, an execution environment. Kaspersky GReAT researchers Maxim Starodubov and Denis Brylev have traced a months-long malware campaign that hid credential stealers, crypto miners, and backdoors inside user-submitted "wallpapers" on Steam Workshop, the user-content marketplace for the popular animated-desktop app Wallpaper Engine. The campaign has been live since late 2025 and is concentrated on gamers in China and Russia, though the published indicators of compromise apply to any Wallpaper Engine user regardless of region.
The technical root cause is Wallpaper Engine's permissive wallpaper format. Two of the three wallpaper types supported by the app, the HTML and JavaScript projects and the "Scene" web-based format, run as full browser-like environments on a user's desktop. That is what makes them expressive. It is also what makes them dangerous: a wallpaper is not a passive image but a packaged mini-application, and Steam Workshop treats the file as content the same way it treats a video wallpaper. The Securelist investigation walks through one infected item, a small game-themed wallpaper, and shows how a few lines of JavaScript and a single WebSocket channel are enough to exfiltrate a Steam session token, drop a hidden miner, or open a backdoor to a command-and-control server.
Starodubov and Brylev attribute the activity to a financially motivated threat actor they track, with telemetry centered on Chinese and Russian Steam communities. The piece is single-vendor in source, which is the standard posture for a Kaspersky GReAT threat-intel report, and the credibility point worth naming is that the report ships with working indicators of compromise: file hashes, command-and-control domains, and behavioral signatures a defender can pivot on. That is the difference between an advisory and a press release.
What the report does not do is put a number on stolen accounts. There are no "thousands" or "millions" figures in the published material, and the only count provided is the dozens of malicious Workshop items themselves. Treat any larger number, including the headline figure of "dozens," as a count of malicious wallpapers, not a count of victims. Scope claims and victim counts should wait for independent reporting, ideally from BleepingComputer, The Register, or a Steam or Wallpaper Engine developer acknowledgement.
The harder accountability question is Steam Workshop's content review. The campaign has been live since late 2025, which means the malware sat on a Valve-operated marketplace for most of the past year without a single Steam moderation pass catching it. The underlying technical vulnerability is inherent to Wallpaper Engine's HTML/JavaScript and Scene wallpaper formats — a property of the application itself, not a flaw in the Steam storefront. The Workshop review pipeline failed to catch the malware, which is a Valve responsibility, but that pipeline was never designed to inspect code-level content inside Workshop items for malicious behavior. The permissive wallpaper format is the root cause; the review failure is a consequence of that design choice.
The user's actual defense surface is small and concrete. Open Wallpaper Engine's Workshop subscriptions and sort by install date, since anything added in the last several months is the highest-value audit target. For each subscribed item, click the uploader's profile: new accounts, low follower counts, and a pattern of one-off uploads with no reviews are the classic signs of throwaway distribution identities. Watch the system itself for unusual background processes, a CPU or GPU that runs hot when the wallpaper should be idle, and a Steam client that suddenly signs out, the behavioral signals the Securelist report calls out. Finally, apply the published indicators of compromise. The hashes and command-and-control domains in the Kaspersky report can be used to scan local Workshop caches and proxy logs.
The single highest-leverage mitigation is also the simplest: disable Steam Workshop auto-install in Wallpaper Engine and switch to a manual review of any new wallpaper before it touches the desktop. The animation is a feature. The discipline of not letting an unvetted mini-application run code on a logged-in account is another.