TLDR:Kaspersky identified dozens of malicious Wallpaper Engine packages with thousands of installs on Steam.Lumma and Vidar infostealers were deployed to harvest crypto wallet data and browser credentials.Malware was hidden inside password-protected archives or bundled directly within wallpaper downloads.The FBI previously investigated Steam-distributed malware across titles including PirateFi and Tokenova.Wallpaper Engine malware is spreading through Steam Workshop, one of gaming’s most trusted content platforms. Cybersecurity firm Kaspersky has identified dozens of infected wallpaper packages distributed via the popular live-wallpaper application. The malicious files steal Steam credentials, hijack active sessions, and deploy infostealers targeting crypto wallet data. Many packages carried thousands of downloads before discovery, with victims reported across China, Russia, Singapore, Germany, and several other countries.How Attackers Weaponized a Trusted PlatformKaspersky’s report, published Monday, revealed that threat actors exploited Steam Workshop to upload malicious Wallpaper Engine packages disguised as animated desktop wallpapers. Most used anime-style female characters as cover images, lending them a credible, appealing appearance to gamers. The platform’s trust factor gave the malware a reliable distribution channel with minimal friction for potential victims.The application’s core feature became the attack vector. Wallpaper Engine allows executable programs to run directly on a Windows machine, which attackers leveraged to deploy malicious payloads under the appearance of legitimate content. Kaspersky confirmed it had identified dozens of infected wallpaper packages available through Steam Workshop, with many reaching thousands or even tens of thousands of downloads.Some wallpapers bundled malware directly within the download package. Others concealed payloads inside password-protected archives that unpacked silently after installation. One documented 2025 case showed a wallpaper launching what appeared to be a functional desktop game while secretly installing the DarkKomet backdoor in the background.Kaspersky researcher Maxim Starodubov addressed the core vulnerability enabling these attacks. “Trusted platforms can be abused to distribute malware: The attacks rely on users trusting content hosted within legitimate ecosystems,” Starodubov said. “While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content.”Infostealers, Crypto Theft, and a Growing Steam ProblemAmong the most dangerous payloads identified were Lumma and Vidar infostealers, distributed alongside the RenEngine loader. These malware families are well-documented tools for harvesting browser credentials, saved passwords, and cryptocurrency wallet information. Kaspersky also noted the activity appeared to involve multiple threat actors rather than a single coordinated group.Steam credential hijacking was another confirmed outcome. Attackers captured active session tokens, allowing them to access accounts without requiring a password. Kaspersky explained that “the application-based wallpaper feature allows executable programs to run directly on a user’s Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content.”The findings follow a documented pattern of Steam-related malware incidents. In July 2025, cybersecurity firm Prodaft reported that the Steam Early Access title Chemia had been compromised to distribute Hijack Loader, Fickle Stealer, and Vidar Stealer. Earlier, the FBI announced investigations into malware found across several Steam titles, including PirateFi, BlockBlasters, and Tokenova.Kaspersky advised users to treat Workshop content as potential threat vectors regardless of download counts. High install numbers do not confirm safety, as malicious packages accumulated tens of thousands of downloads before removal.The post Wallpaper Engine Malware Hijacks Steam Workshop to Steal Crypto Wallet Data appeared first on Blockonomi.