A seemingly harmless animated wallpaper on Steam Workshop can quietly run a backdoor while cherry blossoms drift across your desktop. Kaspersky researchers have confirmed an active campaign exploiting Wallpaper Engine‘s open Workshop ecosystem to distribute malware disguised as animated desktop backgrounds. Dozens of malicious wallpaper packages — many featuring anime-style art — racked up thousands to tens of thousands of downloads each before being pulled. The campaign has been active since late 2025, and new infected uploads keep appearing after Valve removes the old ones. Wallpaper Engine itself isn’t compromised. The open Workshop ecosystem is the attack surface.
Why a Wallpaper Can Steal Your Steam Account
Wallpaper Engine’s “application wallpaper” feature lets Workshop items run as full Windows executables — and attackers noticed.
That feature means wallpaper packages can contain .exe, .dll and script files that execute the moment you apply them. One sample from December 2025 launched what looked like an innocent desktop mini-game. Behind the pixels, it deployed the DarkKomet backdoor and harvested Steam session data. Other packages have delivered Lumma and Vidar infostealers, the RenEngine loader, crypto-miners, and ransomware.
Kaspersky notes that “the application-based wallpaper feature allows executable programs to run directly on a user’s Windows computer, allowing attackers to distribute malicious software under the guise of legitimate content.” Attackers use two main tricks: bundling hidden executables inside the wallpaper package, or shipping secretly tracking users password-protected archives where the password sits right in the filename — like leaving a house key under the doormat, except the doormat is labeled “KEY HERE.”
This isn’t one coordinated group. Kaspersky confirms multiple independent threat actors exploiting the same vector. About 89% of malicious downloads targeted users in China, with Russia at roughly 5.5%, plus victims across Singapore, Germany, Vietnam, and Canada.
What to Actually Do About It
You can keep your animated wallpapers — just stop treating Workshop downloads like a curated app store.
- Skip any Workshop item bundling extra .exe, .dll, or script files beyond the wallpaper itself
- Treat password-protected wallpaper archives as an immediate red flag
- Stick to established creators with long histories and verified community feedback
- Run a reputable security suite — Microsoft Defender catches known malicious packages (note: Kaspersky discovered these threats, though some Western regulators have raised separate concerns about the vendor)
- Enable Steam Guard, use a unique password, and if anything feels off, log out everywhere and run a full scan from a clean device
The old “anime girl downloaded a virus” joke isn’t a joke anymore. Valve has removed the identified items, but Kaspersky warns new ones continue to surface — the same logic that applies here extends to Discord bots, game mods, and browser extensions anywhere user-generated content can execute code. An “application wallpaper” is an executable wearing a pretty face. Treat it like one.
