Gamers beware: malicious wallpapers on Steam found stealing accounts

So this vulnerability isn't directly the result of using Steam, or any of the Steam profile customizations, such as avatars and profile page backgrounds. But rather, it is a vulnerability in a third-party application "Wallpaper Engine" which is available on Steam.

I recall when screen savers were a common malware vector on Windows. I suppose everything old is new again.

I love how the post is clearly written by AI. A human might've noticed all the screenshots appear to be of interactive hentai games distributed through Wallpaper Engine. And wouldn't have said:

> On the surface, this wallpaper sample (above) we uncovered in December 2025 looks completely harmless.

In reference to a screenshot of an anime woman with ripped clothes, eyes in fear, being monitored by CCTV camera.

From my knowledge, "adult entertainment" is targeted by malware because it's socially embarrassing to admit that was the attack vector. It's relevant to point that out.

Wallpaper Engine is pretty old now, and I remember using it years ago reading warning about not downloading unknown wallpapers. I believe there's even settings in the configuration not to run arbitrary code. 8 year old post about it, but honestly pretty sure it's been warned since day 1. [1]

[1] https://www.reddit.com/r/wallpaperengine/comments/7xg27d/rem...

> The whole concept of “application wallpapers” essentially allows foreign code to be run directly on your computer. Cybercriminals took note of this feature and started embedding malware right into these types of wallpapers.

> Because Wallpaper Engine relies on Steam Workshop for content sharing, anyone can create a wallpaper and publish it for the community to download and install for free.

RIP

> Because Wallpaper Engine relies on Steam Workshop for content sharing, anyone can create a wallpaper and publish it for the community to download and install for free.

RIP

[1] https://www.reddit.com/r/wallpaperengine/comments/7xg27d/rem...

I love how the post is clearly written by AI. A human might've noticed all the screenshots appear to be of interactive hentai games distributed through Wallpaper Engine. And wouldn't have said:

> On the surface, this wallpaper sample (above) we uncovered in December 2025 looks completely harmless.

In reference to a screenshot of an anime woman with ripped clothes, eyes in fear, being monitored by CCTV camera.

From my knowledge, "adult entertainment" is targeted by malware because it's socially embarrassing to admit that was the attack vector. It's relevant to point that out.

Sexual arousal also tends to inhibit rational thought. I don't mean that in a snarky or sarcastic way, I mean that it is a biological process that has been well-studied and well-established [1]. This has obvious uses for scamming people and doing other things that their executive function might normally catch and prevent.

This is also why sexual imagery should generally be kept out of public spaces, not because of "puritanism" but because it just generally isn't a good idea to go around letting bad actors inhibiting people's executive function willy-nilly. That should generally be denied as a tool to bad actors like scammers.

[1]: For instance https://people.duke.edu/~dandan/webfiles/PapersPI/Sexual%20A... - note while the title mentions "sexual decision making" it also covers some 'bad decisions' that aren't particularly sexual on their own.

Centipedes? In my waifu?!

I recall when screen savers were a common malware vector on Windows. I suppose everything old is new again.

First thing I thought of when I saw the title was "since when does Steam have wallpapers?".

The article is at the least titled misleadingly and an attempt to sell fear.

It's not completely unrelated to Steam though. The malicious code is delivered by Steam Workshops. It might or might not be justified to put 'Steam' on the title, but it's par on HN standards (people always put 'npm' on the titles when there is a supply chain issue.)

I'm still waiting for the new generations to rediscover screen savers.

Centipedes? In my waifu?!

First thing I thought of when I saw the title was "since when does Steam have wallpapers?".

The article is at the least titled misleadingly and an attempt to sell fear.

I'm still waiting for the new generations to rediscover screen savers.

Why do you need an "Engine" for wallpapers in the first place?

The malicious wallpapers, which use "Wallpaper Engine" are also published through Steam Workshop. It's still a Steam problem.

Why would seeing sexual imagery make you less rational? That doesn't make sense.

The study you mention say the people were already in an arousal state (that they had to induce themselves). It's very different from seeing images that you may simply ignore, evaluate differently, etc.

Also, there is the bias that if people are looking for such images (because they really want them), they are probably more willing to drop recommended practices, and hence make irrational moves. So irrationality doesn't come from seeing the images at the first place, but from their willingness to find / see such images.

>This is also why sexual imagery should generally be kept out of public spaces, not because of "puritanism" but because it just generally isn't a good idea to go around letting bad actors inhibiting people's executive function willy-nilly

Okay but presumeably humans adapt to the level of "sexuality" around them to some degree (like they do nearly every other stimulus), because otherwise you could show less prude cultures having lower ability to do "rational thought".

Nudity is normal all over the world and yet people seem to function just fine. What constitutes content that justifies sexual arousal is socially constructed!

Why would seeing sexual imagery make you less rational? That doesn't make sense.

Nudity is normal all over the world and yet people seem to function just fine. What constitutes content that justifies sexual arousal is socially constructed!

I cited my sources. You're welcome to seek out studies on the question of how it varies between societies, they probably exist somewhere. However as part of the "adaptation" you cite is precisely scammers getting better at scamming people, this isn't something we should treat casually.

It's not as if it's news or anything. "Sex sells" isn't a new phrase. But I think most people assume it's just because it's ambiently appealing, the fact that it also objectively lowers rational barriers to buying what is being sold is less well understood and changes the question from just a matter of appeal to one of psychological abusiveness.

That's how I've come to see it; that sexy chick (sexist language chosen advisedly) on the billboard isn't just a company nicely providing me a beautiful thing to look at for no reason at all, it's an attack on my executive function. It's an incredibly hostile thing to do and should be treated as such.

Note the above commenter specifically used the language "sexual imagery" and not "nudity". As you point out, what can be considered "sexual imagery" can vary somewhat based on the cultural norms of the society.

Why do you need an "Engine" for wallpapers in the first place?

So you can have an animated or interactive "wallpaper". The malicious wallpapers in the OP are hentai games.

The 'wallpapers' in question are pirated games made in renpy (python game engine) or rpgmaker (js based), which makes them a really good vector for malware. As another commenter noted this is a bizarrely common way for Chinese people to get porn through the great firewall.

Opensuse (pre 11 iirc) used to have a really cool background where the lighting changed throughout the day, that probably used an engine of some sort.

Because they are not static images. That's the whole gimmick

Because it's one of the only ways to get porn in China

The malicious wallpapers, which use "Wallpaper Engine" are also published through Steam Workshop. It's still a Steam problem.

Irrelevant comment, op said "this vulnerability isn't directly the result of using Steam", not that steam doesn't share responsibility

So you can have an animated or interactive "wallpaper". The malicious wallpapers in the OP are hentai games.

Because they are not static images. That's the whole gimmick

Opensuse (pre 11 iirc) used to have a really cool background where the lighting changed throughout the day, that probably used an engine of some sort.

Because it's one of the only ways to get porn in China

Somewhat? The variance is off the charts. Without even going to the extremes of casual nudism vs burka, there are cultures where wearing hair down is seen as sexual, and there are cultures were twerking is child appropriate.

Why would that be the only way to get porn that they don't crack down on?

Irrelevant comment, op said "this vulnerability isn't directly the result of using Steam", not that steam doesn't share responsibility

It said they are "on Steam" which is true. They are distributed through the Steam Workshop, which Valve runs and attempts to protect from abuse.

While it's not as high-profile as the official profile backgrounds and avatars, it's still in an area that most gamers would think was safe by default, since Valve moderates it.

Why would that be the only way to get porn that they don't crack down on?

It said they are "on Steam" which is true. They are distributed through the Steam Workshop, which Valve runs and attempts to protect from abuse.

While it's not as high-profile as the official profile backgrounds and avatars, it's still in an area that most gamers would think was safe by default, since Valve moderates it.

Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform’s built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts. To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app available on Steam – specifically leveraging its Workshop sharing feature. The malware is hidden inside the wallpaper packages users share with one another. Running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected with backdoors or crypto miners.

What is Wallpaper Engine?

Wallpaper Engine is an app that allows you to put animated wallpapers on your desktop. It’s available for both Windows and Android, though our investigation focused strictly on the Windows version. Thanks to a massive Steam community, the app is quite popular, boasting around 100,000 daily active users and nearly a million reviews. It comes with a built-in editor so users can create their own designs, and it supports a few different wallpaper types:

Videos: MP4, WebM, and other common video formats
Scenes: interactive wallpapers built inside the app’s own editor
Web pages: HTML pages powered by JavaScript and CSS, which can also include audio and video elements
Applications: active windows from third-party Windows-compatible software that Wallpaper Engine sets as the user’s desktop background

That last type, application wallpapers, is where things get risky, because these are essentially standalone programs. They can be anything from mini-games you play right on your desktop, to planners, calendars, system monitors, or widgets tracking your CPU or GPU usage.

Application wallpapers: a built-in security risk

The whole concept of “application wallpapers” essentially allows foreign code to be run directly on your computer. Cybercriminals took note of this feature and started embedding malware right into these types of wallpapers. Because Wallpaper Engine relies on Steam Workshop for content sharing, anyone can create a wallpaper and publish it for the community to download and install for free. Naturally, this setup is a magnet for bad actors.

We discovered dozens of these malicious application wallpapers floating around Steam Workshop, and each one had already been downloaded thousands – or even tens of thousands – of times.

Here's what these infected wallpapers look like on Steam Workshop

When we analyzed them, we caught two different methods the attackers were using to spread their malware:

An archive containing the executable wallpaper alongside the malicious files. This payload usually consisted of compromised EXE files, DLLs, or malicious scripts.
In other cases, attackers threw a curveball by hiding the malware inside a password-protected archive. Either the victim was tricked into typing the password, or a script handled it automatically. The attackers would hide the password in plain sight – either right in the archive’s name or inside a JSON configuration installed along with other wallpaper files. For all the other variations, the payload triggered automatically when the user selected and applied the wallpaper.

Inside an infected game wallpaper

Main screen of the wallpaper application

On the surface, this wallpaper sample (above) we uncovered in December 2025 looks completely harmless. Once launched, there’s absolutely nothing to trigger your suspicion. The built-in game boots up flawlessly, runs smoothly, and the desktop controls work exactly as they should. But behind the scenes, a full-blown infection is underway. Within just a few minutes, a user might suddenly realize their Steam account has been hijacked, or find their computer crippled by malware, with their files being encrypted by ransomware or their system performance tanking because of a hidden crypto miner.

How the malware deploys

Once the game wallpaper launches, it drops a backdoor file called Synaptics.exe (part of the DarkKomet malware family) straight into the victim’s system. At the same time, an executable named ._cache_GAME1.exe fires up to boot the actual game, NTRaholic.

But that ._cache_GAME1.exe module is doing double duty. It simultaneously installs a custom version of a system library called AggregatorHost.dll with a payload inside. This modified library has one main objective: track down the Steam app on the computer and hunt for account credentials.

Looking for the Steam app

Next, the modified library hijacks the user’s live Steam session.

Hijacking the Steam session

After that, the compromised AggregatorHost.dll sends all the collected data to a server controlled by the hackers at hxxp://120.48.156[.]17/ey.php. Once the attackers have control of that active session, they can use the victim’s account to upload even more malicious wallpapers to Steam Workshop.

Attribution and victims

The game wallpaper described above is just one flavor of the many variations we uncovered during our research. By weaponizing the application wallpaper feature, bad actors have successfully distributed almost every type of malware under the sun – from popular infostealers and backdoors to crypto miners and botnet loaders.

Because the range of tools being used is so diverse, we suspect this isn’t the work of a single mastermind. Instead, it looks like multiple scattered, independent hacking groups are all jumping on the same trend. Right now, the primary targets are gamers in China. The wallpaper art styles and titles are tailored specifically to them, and the data backs it up: our security systems caught a staggering 89% of the malicious download attempts happening right there. That said, there’s absolutely nothing stopping these attackers from pivoting and launching a similar campaign in any other part of the world. Russia comes in second place for total downloads at 5.5%, followed by a smattering of other countries and territories: Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%).

Malicious app wallpaper downloads by region

How to stay safe

Our investigation proves that even trusted platforms like the Steam Workshop aren’t completely safe from malware. In most cases, we caught old, familiar threats such as DarkKomet, the Lumma and Vidar infostealers, and the RenEngine loader. Kaspersky solutions can easily spot and block all of these payloads, no matter how clever the packaging is, thanks to our proactive security layers. Here are some of the specific threat detection verdicts assigned to the objects we discovered during our research:

HEUR:Trojan-PSW.Win32.gen
HEUR:Trojan-PSW.Win32.Python.gen
HEUR:Backdoor.Win32.DarkKomet
Trojan-Dropper.Python.Agent
HEUR:Trojan-Ransom.Win32.Gen.gen
PDM:Trojan.Win32.Generic.

By the time this post went live, the Steam team had already scrubbed the identified malicious wallpapers and links from the platform. However, given how frequently new infected wallpapers keep popping up on the Steam Workshop, you shouldn’t rely on Steam to catch everything. It’s highly recommended to run an antivirus scan on these types of wallpapers before you actually apply them.

Indicators of compromise

MD5

C2 servers

Malicious wallpapers

Hacker Times