Since late 2025, attackers have abused Wallpaper Engine’s Steam Workshop sharing feature to hide malware in malicious wallpaper packages and target gamers in China and Russia for Steam account theft. The campaigns have delivered backdoors, infostealers, crypto miners, and loaders, with one infection chain dropping Synaptics.exe and stealing credentials through a modified AggregatorHost.dll before sending data to hxxp://120.48.156[.]17/ey.php. #WallpaperEngine #SteamWorkshop #DarkKomet #Lumma #Vidar #RenEngine
Keypoints
- Attackers are distributing malware through Wallpaper Engine wallpapers shared on Steam Workshop.
- The campaign primarily targets gamers in China and Russia to hijack Steam accounts.
- Malicious payloads are hidden in executable wallpapers, archives, scripts, and password-protected archives.
- One infection chain drops Synaptics.exe and uses ._cache_GAME1.exe to launch the decoy game NTRaholic.
- A modified AggregatorHost.dll is used to locate Steam, steal credentials, and hijack active Steam sessions.
- The stolen session data is sent to hxxp://120.48.156[.]17/ey.php, enabling attackers to upload more malicious wallpapers.
- Observed payloads include DarkKomet, Lumma, Vidar, RenEngine, backdoors, crypto miners, and botnet loaders.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File – Victims run compromised wallpaper packages and “running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected.”
- [T1055 ] Process Injection – The modified AggregatorHost.dll is used inside the wallpaper chain to interfere with Steam session handling and credential collection (‘the compromised AggregatorHost.dll sends all the collected data’).
- [T1552 ] Unsecured Credentials – The malware hunts for account credentials in the Steam app (‘track down the Steam app on the computer and hunt for account credentials’).
- [T1539 ] Steal Web Session Cookie – The malware hijacks the user’s live Steam session to take over the account (‘hijacks the user’s live Steam session’).
- [T1105 ] Ingress Tool Transfer – Malicious components are delivered as EXE, DLL, scripts, and archived payloads through workshop content (‘payload usually consisted of compromised EXE files, DLLs, or malicious scripts’).
- [T1027 ] Obfuscated Files or Information – Attackers hide malware in password-protected archives and conceal the password in the archive name or JSON config (‘hiding the malware inside a password-protected archive’).
- [T1106 ] Native API – The application wallpaper feature allows foreign code to run directly on the computer (‘allows foreign code to be run directly on your computer’).
- [T1203 ] Exploitation for Client Execution – The abuse of application wallpapers enables code execution when users apply the wallpaper (‘when the user selected and applied the wallpaper’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltrated data is sent to an attacker-controlled web server at hxxp://120.48.156[.]17/ey.php (‘sends all the collected data to a server controlled by the hackers’).
Indicators of Compromise
- [File names ] Dropped or executed payloads in the infection chain – Synaptics.exe, ._cache_GAME1.exe, AggregatorHost.dll
- [URL / C2 server ] Data exfiltration and session-hijack endpoint – hxxp://120.48.156[.]17/ey.php
- [Malicious wallpaper content ] Infected Steam Workshop wallpaper packages used to deliver payloads – application wallpapers, game wallpapers, password-protected archive wallpapers
- [Threat detections / verdicts ] Security detections assigned to identified samples – HEUR:Trojan-PSW.Win32.gen, HEUR:Backdoor.Win32.DarkKomet, and 4 more verdicts
- [Malware families ] Payloads observed in the campaign – DarkKomet, Lumma, Vidar, RenEngine
Read more: https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/