Hackers Hijack Steam Sessions via Malicious Workshop Wallpapers

A new Kaspersky report details how threat actors have exploited Valve’s Steam Workshop since late 2025. These attackers embed malware within Wallpaper Engine application wallpapers to hijack active Steam sessions. Once a session is compromised, victims face infection from backdoors, infostealers, and crypto miners. Kaspersky’s findings indicate that 89% of the targets are located in China.

Wallpaper Engine is a hugely popular Steam application that lets users set animated, interactive wallpapers on their Windows desktops. With nearly one million reviews and approximately 100,000 daily active users, it presents an enormous attack surface.

The app supports several wallpaper types, videos, scenes, web pages, and application wallpapers, and that last category is what attackers zeroed in on. Application wallpapers are essentially standalone executables that run as the user’s desktop background, meaning launching one is no different from running an arbitrary program on your system.

Since anyone can publish content to Steam Workshop for free, attackers simply uploaded weaponized wallpapers disguised as games, widgets, and desktop tools. Kaspersky researchers discovered dozens of such malicious wallpapers, each already downloaded thousands — or even tens of thousands of times before detection.

Hackers Abuse Steam Workshop

Attackers used two primary distribution methods. In the first, the wallpaper archive bundled malicious executables, DLLs, or scripts alongside the visible application.

In the second, malware was concealed inside a password-protected archive; either the victim was tricked into entering the password manually, or a script extracted it automatically from the archive’s filename or a bundled JSON configuration file.

Once a victim launches the infected wallpaper, the attack executes silently and immediately. The wallpaper drops Synaptics.exe, a backdoor belonging to the DarkKomet remote access trojan family, into C:ProgramDataSynaptics.

Simultaneously, a secondary executable named ._cache_GAME1.exe launches to load the visible game (NTRaholic) — maintaining the illusion of a legitimate wallpaper while installing a patched version of AggregatorHost.dll loaded with a malicious payload.

This tampered system library then hunts for the Steam client on the host machine and hijacks the user’s active session. Stolen session data is subsequently exfiltrated to an attacker-controlled command-and-control server at hxxp://120.48.156[.]17/ey.php.

With a live session captured, the attackers gain full account access and can upload additional malicious wallpapers directly to Steam Workshop, perpetuating the infection cycle.

Beyond DarkKomet, Kaspersky’s investigation identified a wide range of payloads including Lumma and Vidar infostealers, the RenEngine loader, ransomware droppers, and botnet loaders.

The diversity of tools suggests multiple independent threat groups are leveraging the same technique rather than a single coordinated actor. Key Kaspersky detection verdicts include:

• HEUR:Trojan-PSW.Win32.gen
• HEUR:Backdoor.Win32.DarkKomet
• Trojan-Dropper.Python.Agent
• HEUR:Trojan-Ransom.Win32.Gen.gen
• PDM:Trojan.Win32.Generic

China accounts for 89% of malicious download attempts, with wallpaper art styles and titles explicitly tailored to Chinese-speaking users. Russia follows at 5.5%, with Singapore (1.4%), Hong Kong (0.9%), Germany (0.9%), Vietnam (0.9%), India (0.5%), and Canada (0.5%) rounding out the victim pool. Researchers warn the campaign’s template could easily be redirected at any global audience.

Mitigation

Valve has removed all identified malicious wallpapers following Kaspersky’s disclosure, but researchers stress that new uploads continue to appear. Users should:

• Avoid application-type wallpapers from unknown or unverified creators on Steam Workshop
• Scan all downloaded Workshop content with an up-to-date antivirus before applying
• Enable Steam Guard and two-factor authentication to limit session hijack impact
• Monitor system processes for unexpected executables like Synaptics.exe or unsigned DLLs loading from ProgramData

Since Steam Workshop lacks per-upload code review, the platform’s trust model remains exploitable — and the burden of verification falls squarely on the end user.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.