A seemingly innocent animated wallpaper on Steam Workshop can quietly run a backdoor whereas cherry blossoms drift throughout your desktop. Kaspersky researchers have confirmed an energetic marketing campaign exploiting Wallpaper Engine‘s open Workshop ecosystem to distribute malware disguised as animated desktop backgrounds. Dozens of malicious wallpaper packages — many that includes anime-style artwork — racked up hundreds to tens of hundreds of downloads every earlier than being pulled. The marketing campaign has been energetic since late 2025, and new contaminated uploads hold showing after Valve removes the outdated ones. Wallpaper Engine itself isn’t compromised. The open Workshop ecosystem is the assault floor.
Why a Wallpaper Can Steal Your Steam Account
Wallpaper Engine’s “utility wallpaper” function lets Workshop gadgets run as full Home windows executables — and attackers seen.
That function means wallpaper packages can include .exe, .dll and script information that execute the second you apply them. One pattern from December 2025 launched what appeared like an harmless desktop mini-game. Behind the pixels, it deployed the DarkKomet backdoor and harvested Steam session knowledge. Different packages have delivered Lumma and Vidar infostealers, the RenEngine loader, crypto-miners, and ransomware.
Kaspersky notes that “the application-based wallpaper function permits executable applications to run straight on a person’s Home windows pc, permitting attackers to distribute malicious software program underneath the guise of respectable content material.” Attackers use two predominant methods: bundling hidden executables contained in the wallpaper package deal, or delivery secretly monitoring customers password-protected archives the place the password sits proper within the filename — like leaving a home key underneath the doormat, besides the doormat is labeled “KEY HERE.”
This isn’t one coordinated group. Kaspersky confirms a number of unbiased menace actors exploiting the identical vector. About 89% of malicious downloads focused customers in China, with Russia at roughly 5.5%, plus victims throughout Singapore, Germany, Vietnam, and Canada.
What to Truly Do About It
You possibly can hold your animated wallpapers — simply cease treating Workshop downloads like a curated app retailer.
- Skip any Workshop merchandise bundling additional .exe, .dll, or script information past the wallpaper itself
- Deal with password-protected wallpaper archives as a right away crimson flag
- Keep on with established creators with lengthy histories and verified group suggestions
- Run a good safety suite — Microsoft Defender catches recognized malicious packages (be aware: Kaspersky found these threats, although some Western regulators have raised separate issues concerning the vendor)
- Allow Steam Guard, use a singular password, and if something feels off, log off all over the place and run a full scan from a clear gadget
The outdated “anime lady downloaded a virus” joke isn’t a joke anymore. Valve has eliminated the recognized gadgets, however Kaspersky warns new ones proceed to floor — the identical logic that applies right here extends to Discord bots, sport mods, and browser extensions wherever user-generated content material can execute code. An “utility wallpaper” is an executable carrying a reasonably face. Deal with it like one.