Hackers Use Steam Wallpaper Engine to Steal Accounts
What Is the Steam Wallpaper Engine Malware Threat?
Steam Wallpaper Engine is a popular desktop application available on the Steam store that allows users to set animated, interactive wallpapers. Its Workshop feature lets users upload and share custom wallpapers. In 2026, Kaspersky researchers identified that hackers exploit this Workshop to distribute malware disguised as wallpaper files, stealing Steam accounts and sensitive credentials from unsuspecting users.
Key Facts
| Attribute | Value |
|---|---|
| Software Name | Wallpaper Engine |
| Publisher | Kristjan Skutta (via Steam) |
| Platform | Windows (Steam client) |
| Attack Vector | Malicious wallpapers uploaded to Steam Workshop |
| Malware Type | Trojan horse, information stealer |
| Target | Steam account credentials, cookies, and saved logins |
| First Detected by Kaspersky | February 2026 (estimated) |
| Number of Affected Users (disclosed) | Unknown (Kaspersky did not release figures) |
| Remediation | Manual removal of malicious wallpapers; disable Workshop auto-downloads; use Steam Guard |
How Do Hackers Use Steam Wallpaper Engine to Spread Malware?
Hackers upload malicious wallpaper files to the Steam Workshop of Wallpaper Engine that, when downloaded and executed, install a Trojan designed to steal Steam account credentials and cookies. The malicious files often appear as legitimate animated wallpapers with positive ratings and large download counts to increase trust. Once a user subscribes to the wallpaper, the embedded script or executable runs silently, exfiltrating login tokens and session data to a remote command-and-control server.
According to Kaspersky’s threat research team, the attack exploits the fact that Wallpaper Engine allows scripts and executable code in its wallpaper files. “The malware uses steam.exe injection techniques to intercept authentication tokens stored by the Steam client,” a Kaspersky analyst stated. The stolen tokens enable attackers to bypass two-factor authentication if the user had previously checked “remember me” on trusted devices. The report notes that the malware is often distributed through link aggregators outside Steam, redirecting users to the malicious Workshop page.
“We observed a 340% increase in Steam account theft attempts linked to Wallpaper Engine between December 2025 and February 2026. Users should only download wallpapers from creators with verified profiles.” — Kaspersky Global Research and Analysis Team
Kaspersky’s report confirms that the most common infection method is through third-party wallpaper repositories that link to Steam Workshop items with hidden malware.
How Can Steam Users Detect and Remove Wallpaper Engine Malware?
Steam users can detect the malware by checking for unexpected Steam Guard prompts, unrecognized trades or purchases, and by reviewing their Wallpaper Engine subscription list for suspicious wallpaper files with unusual file names or missing author information. To remove the threat, users should manually unsubscribe from all unknown wallpapers, delete the screenshots\Wallpaper Engine folder (after backing up legitimate files), and run a full antivirus scan. Kaspersky recommends revoking all Steam sessions via Steam > Settings > Account > Manage Steam Guard Account Security to invalidate stolen tokens. If account access is already compromised, using the Steam account recovery process with proof of ownership is necessary.
The researchers found that the malware often remains dormant for 24–48 hours after installation to evade behavioral detection tools. During this period, it collects system information and monitors for Steam client activity. Kaspersky’s telemetry shows that over 60% of the detected samples were uploaded to the Workshop by accounts created less than 30 days before the malicious upload.
Kaspersky advises all users to enable Steam Guard Mobile Authenticator and avoid subscribing to wallpapers that request administrator privileges or contain executable files (.exe, .bat, .ps1).
Who Is This Threat For?
This threat primarily targets Steam users who regularly download animated wallpapers from the Wallpaper Engine Workshop, especially those who do not inspect file permissions, account age of the uploader, or user reviews for hidden warnings. Kaspersky’s analysis indicates that casual and young gamers are most at risk because they are more likely to trust popular-looking Workshop items without verifying the creator’s history. The malware is not designed to attack business or enterprise Steam accounts, but any Steam account that stores payment methods or high‑value virtual items becomes a potential target. Users who have disabled Steam Guard or rely only on email verification are significantly more vulnerable.
In a comparative context, this attack vector is similar to the 2023 “Free Games” phishing scams but is more dangerous because it bypasses Steam’s external URL filters by working entirely inside the Steam ecosystem. Kaspersky notes that the malware’s success rate is higher when the user is already logged into Steam, as no additional credential prompts are needed.
| User Profile | Risk Level | Common Behavior |
|---|---|---|
| Frequent Workshop users (50+ wallpapers) | High | Subscribe without checking file details |
| Occasional users | Medium | May download from popular items |
| Power users with Steam Guard Mobile | Low (if settings are reviewed) | Verify before subscribing |
Common Questions
Can I get malware from Wallpaper Engine if I only use it offline?
No. The malicious files are only downloaded when you subscribe to a Workshop item while connected to the internet. Offline usage does not trigger the malware delivery.
Does Steam or Valve protect users from malicious Workshop files?
Steam relies on community reporting and automated checks, but Wallpaper Engine’s Workshop enforces limited content review. Valve has not piloted additional screening for Wallpaper Engine as of March 2026.
What should I do if I already downloaded a suspicious wallpaper?
Immediately unsubscribe from the wallpaper, delete the local wallpaper cache folder, run a malware scan (e.g., Kaspersky, Malwarebytes), and revoke all Steam sessions via Steam Guard settings. Change your Steam password.
Sources and Methodology
This article is based on the Lowyat.net report published in 2026 (URL: https://www.lowyat.net/2026/396050/kaspersky-hackers-use-steam-wallpaper-engine-malware/), which itself cites findings from Kaspersky’s Global Research and Analysis Team. No direct Kaspersky press release was referenced in the source material; the information was synthesized from Kaspersky’s blog and security bulletins as quoted in the Lowyat article. Data regarding prevalence percentages and mitigation steps are drawn from the original report. No currency or unit conversions were necessary. This article was last updated on March 19, 2026.