Attackers abused Wallpaper Engine's executable wallpaper feature to deploy infostealers and ransomware.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
The culprit is Wallpaper Engine, a $4.99 live wallpaper tool that ranks among Steam's most-used non-game titles, with 93,000 to 114,000 concurrent users and nearly a million reviews. The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.
Kaspersky observed two delivery methods. In some packages, the malicious EXE files, DLLs, or scripts sat directly alongside the legitimate wallpaper files. In others, the payload was tucked inside a password-protected archive, with the password either embedded in the archive name or in a JSON config file, allowing a script to open it automatically. Applying the wallpaper triggered the payload.
In a sample examined last December, the researchers managed to boot a functional desktop game while discreetly dropping a DarkKomet backdoor named Synaptics.exe and a tampered system library, AggregatorHost.dll. That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server. Control of an active session lets the attackers post fresh malicious wallpapers under the victim's name, which is why the campaign keeps regenerating after takedowns.
Kaspersky placed 89% of malicious download attempts in China, followed by Russia at 5.5% and smaller shares in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. That concentration aligns with the wider Wallpaper Engine user base, which skews heavily toward China. Payloads spanned the DarkKomet backdoor, the Lumma and Vidar infostealers, the RenEngine loader, miners, and ransomware, a spread the researchers attributed to multiple independent groups piling onto the same technique rather than a lone threat actor or group.
Microsoft warns GPU mining malware spread to users through SEO poisoning and AI chatbots
HWMonitor and CPU-Z developer CPUID breached by unknown attackers
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/kaspersky-finds-malware-hidden-in-steam-wallpapers-that-hijacks-accounts-to-spread-itself#main
- https://www.tomshardware.com/subscription
- Chinese memory brands ditch Samsung and Micron for homegrown CXMT and YMTC silicon — Corsair, HP, and Dell are already adopting the China-produced DDR5 chips
- At Cannes Lions, NVIDIA Partners Reshape Advertising and Marketing With AI
- This $339 Corsair 32GB DDR5 RAM kit is the cheapest on sale right now, $45 less than the next-best rival — secure overclockable RGB kit with 6,000 MT/s speeds f
- First official details of AMD's next-gen 'Mustang Peak' Threadripper CPUs come into view — chips feature DDR5, PCIe 6.0, and a new socket
- HPE AI Factory With NVIDIA Expands for the Era of Agents
Informational only. No financial advice. Do your own research.