Malicious Steam wallpapers stole crypto and hijacked accounts
Animated Steam Workshop wallpapers hid malware that stole Steam credentials, hijacked sessions and installed Lumma and Vidar infostealers to grab browser data and crypto wallets.
Kaspersky researchers reported on Monday that animated wallpapers on Steam Workshop contained malware that stole Steam credentials, hijacked active sessions and deployed Lumma and Vidar infostealers. Dozens of Wallpaper Engine packages were found with thousands or tens of thousands of downloads.
The attackers used Wallpaper Engine’s application-based wallpaper feature, which allows executable programs to run on a Windows PC. Malware was either bundled directly in wallpaper packages or hidden inside password-protected archives that unpacked after installation. Many of the infected packages featured female anime characters.
Kaspersky observed the RenEngine loader alongside Lumma and Vidar families. In some cases a wallpaper launched what looked like a legitimate desktop game while installing additional components such as the DarkKomet backdoor. The firm reported the activity appears linked to multiple threat actors rather than a single group.
Infections were concentrated in China and Russia, with additional detections in Singapore, Hong Kong, Germany, Vietnam, India and Canada. Many of the compromised packages had large download counts, giving operators broad reach through Steam Workshop.
Kaspersky’s report explains that Lumma and Vidar steal saved passwords, cookies, form data and local cryptocurrency wallet keys from infected machines. Harvested credentials and active sessions can be used to access affected accounts, including game platforms and linked services.
The findings follow other recent malware incidents tied to Steam. In July 2025 a Steam Early Access title called Chemia was found to be distributing Hijack Loader, Fickle Stealer and Vidar. In March the FBI opened an investigation into malware distributed through multiple Steam titles, including several early-access and indie games.
Kaspersky researcher Maxim Starodubov wrote, “Trusted platforms can be abused to distribute malware: The attacks rely on users trusting content hosted within legitimate ecosystems. While many of the malware families involved are well-known, the delivery mechanism enables attackers to reach large numbers of potential victims through seemingly harmless content.”
Kaspersky’s report describes how embedding executable payloads in files that appear to be harmless animated wallpapers and using loaders and password-protected archives helped hide payloads from casual inspection and automated scanners.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
