Wallpaper Engine wallpapers shipped Lumma and Vidar — and tens of thousands of Steam users installed them 🎮

Kaspersky researchers said Monday that attackers used Steam Workshop to distribute malicious Wallpaper Engine downloads disguised as animated desktop backgrounds, many featuring female anime characters, with dozens of infected packages identified on the platform. "The application-based wallpaper feature allows executable programs to run directly on a user's Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content," Kaspersky said. The firm added that "many of these packages had thousands or even tens of thousands of downloads." The malicious wallpapers either bundled malware directly or hid it inside password-protected archives that unpacked after installation, Kaspersky said, noting a 2025 case where a wallpaper appeared to launch a legitimate desktop game while secretly installing the DarkKomet backdoor.

The wallpaper packages distributed Lumma and Vidar infostealers, malware families commonly used to steal credentials, browser data, and cryptocurrency wallet information, alongside the RenEngine loader, according to Kaspersky. Researchers said the activity appeared to involve multiple threat actors rather than a single group. Victims were primarily in China and Russia, though infections were also seen in Singapore, Hong Kong, Germany, Vietnam, India, and Canada, Kaspersky reported. The company did not specify the total value of any stolen funds or list affected wallet providers in the advisory.

"Trusted platforms can be abused to distribute malware: The attacks rely on users trusting content hosted within legitimate ecosystems," Kaspersky researcher Maxim Starodubov said in a statement. "While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content." The findings add to a growing list of Steam-related malware incidents, including a July 2025 Prodaft report that the Steam Early Access title Chemia had been compromised to distribute Hijack Loader, Fickle Stealer, and Vidar Stealer targeting cryptocurrency wallets and user data, and a March FBI investigation into malware spread through the Steam games Chemia, PirateFi, BlockBlasters, Dashverse, DashFPS, Lampy, Lunara, and Tokenova. Kaspersky published the Wallpaper Engine advisory the same day separate academic research warned that advances in AI agents could enable adaptive computer worms capable of generating attack strategies and spreading autonomously across networks, in a paper from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow.