Attackers abused Wallpaper Engine's executable wallpaper feature to deploy infostealers and ransomware.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The culprit is Wallpaper Engine, a $4.99 live wallpaper tool that ranks among Steam's most-used non-game titles, with 93,000 to 114,000 concurrent users and nearly a million reviews. The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.
Kaspersky observed two delivery methods. In some packages, the malicious EXE files, DLLs, or scripts sat directly alongside the legitimate wallpaper files. In others, the payload was tucked inside a password-protected archive, with the password either embedded in the archive name or in a JSON config file, allowing a script to open it automatically. Applying the wallpaper triggered the payload.
In a sample examined last December, the researchers managed to boot a functional desktop game while discreetly dropping a DarkKomet backdoor named Synaptics.exe and a tampered system library, AggregatorHost.dll. That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server. Control of an active session lets the attackers post fresh malicious wallpapers under the victim's name, which is why the campaign keeps regenerating after takedowns.
Kaspersky placed 89% of malicious download attempts in China, followed by Russia at 5.5% and smaller shares in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. That concentration aligns with the wider Wallpaper Engine user base, which skews heavily toward China. Payloads spanned the DarkKomet backdoor, the Lumma and Vidar infostealers, the RenEngine loader, miners, and ransomware, a spread the researchers attributed to multiple independent groups piling onto the same technique rather than a lone threat actor or group.
Microsoft warns GPU mining malware spread to users through SEO poisoning and AI chatbots
HWMonitor and CPU-Z developer CPUID breached by unknown attackers
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/kaspersky-finds-malware-hidden-in-steam-wallpapers-that-hijacks-accounts-to-spread-itself#main
- https://www.tomshardware.com/subscription
- Seoul Purpose: How NVIDIA and South Korea Are Building the Future of AI
- Kaspersky finds malware hidden in Steam Wallpaper Engine that hijacks accounts to spread itself — dozens of malicious packages downloaded tens of thousands of t
- 'The retail SSD market has almost disappeared,' says Silicon Motion exec — PC OEMs are buying third-party drives as direct NAND supply dries up
- NVIDIA and LG Group Build an AI Factory to Advance Physical AI, Mobility and AI Infrastructure
- AGI AI858 2TB SSD Review — High-end PCIe 5 speeds on a budget
Informational only. No financial advice. Do your own research.