Anime Wallpapers on Steam Hide Crypto-Stealing Malware
Kaspersky discovered malicious Wallpaper Engine downloads on Steam Workshop infecting thousands of users with infostealers like Lumma and Vidar. The malware steals credentials, session tokens, and crypto wallet data, targeting gamers globally amid a wave of Steam-based attacks.
Quick Take
Malicious Steam Workshop wallpapers bundled Lumma and Vidar infostealers.
Tens of thousands of downloads; victims in China, Russia, and beyond.
Attackers exploited trust in Steam to deploy crypto-stealing malware.
Incident follows Chemia game compromise and FBI investigation into Steam malware.
Market Impact Analysis
BearishInfostealer campaign targeting crypto wallets via Steam Workshop could lead to individual fund theft and potential selling pressure, but limited direct market impact.
Speculation Analysis
Key Takeaways
- Kaspersky discovered malicious Wallpaper Engine downloads on Steam Workshop distributing infostealers.
- Lumma and Vidar malware targeted crypto wallets, browser data, and session tokens.
- Tens of thousands of users downloaded the trojanized anime wallpapers.
- Attackers exploited platform trust to reach victims across multiple countries.
What Happened
Kaspersky uncovered a malware campaign that weaponized anime-themed wallpapers on Steam Workshop. The wallpapers, designed for Wallpaper Engine, bundled infostealers such as Lumma and Vidar. The malware stole credentials, session tokens, and cryptocurrency wallet data from infected machines. Attackers exploited Wallpaper Engine's ability to run executable programs, disguising malicious code as harmless desktop customization. The campaign targeted gamers, leveraging trust in Steam's ecosystem to distribute malware at scale. Users in China, Russia, and beyond were affected, with some wallpapers also deploying the RenEngine loader and DarkKomet backdoor. The discovery adds to a troubling series of Steam-related attacks.
The Numbers
Dozens of infected wallpaper packages were identified on Steam Workshop, each garnering thousands to tens of thousands of downloads. At least four malware families were deployed: Lumma, Vidar, RenEngine, and DarkKomet. The campaign primarily hit users in China and Russia, but infections spread to Singapore, Hong Kong, Germany, Vietnam, India, and Canada. Some malicious downloads secretly installed the DarkKomet backdoor while launching a fake desktop game.
Why It Happened
Wallpaper Engine's application-based wallpaper feature allows executables to run on Windows, creating an avenue for abuse. Attackers packaged malware inside password-protected archives or bundled it directly, banking on Steam users' trust. The use of anime themes broadened the appeal, attracting victims unaware of the risk. Steam's massive user base and the Workshop's low barrier to entry made it an attractive vector. This campaign reflects a broader trend of threat actors exploiting trusted platforms to bypass security skepticism.
Broader Impact
The incident follows the compromise of the Steam game Chemia in July 2025, which also spread crypto-stealing malware. The FBI is investigating multiple Steam games for malware distribution. These attacks chip away at trust in digital marketplaces and highlight the need for rigorous content vetting. For crypto holders, the risk of losing wallet access through infostealers underscores the danger of storing sensitive data on gaming PCs.
What to Watch Next
- Monitor Steam Workshop for additional reports of malicious content and potential delistings.
- Watch for a response from Valve, including stricter upload policies or scanning measures.
- Expect heightened awareness among gamers and crypto users about the risks of third-party downloads.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
