Don’t randomly download Steam anime wallpapers! The Wallpaper Engine Workshop has been poisoned, only stealing encrypted wallets

Kaspersky said that the Steam software “Little Red Car” workshop has been infiltrated by malicious software. Bad actors use dynamic anime wallpaper to steal users’ account data and cryptocurrency wallet information, and multiple independent games and MODs have also become tools for hiding malware.

Steam Wallpaper Engine Workshop Poisoned

Recently, cybersecurity company Kaspersky said that unscrupulous individuals are using the Steam platform’s dynamic wallpaper engine Wallpaper Engine (commonly known as “Little Red Car”) and its built-in Steam Workshop feature to spread malicious software.

Most of the poisoned wallpapers are themed around female animated characters. They have already accumulated tens of thousands of downloads. The primary victims are concentrated in China (accounting for 89.4%) and Russia (accounting for 5.5%), with the remaining distribution in places such as Singapore, Hong Kong, and Germany.

Kaspersky security expert Maxim Starodubov said that this wave of attacks takes advantage of users’ trust in the official and legitimate ecosystem, allowing criminals to reach large numbers of potential victims through seemingly harmless content.

Image source: Steam screenshots Steam platform dynamic wallpaper engine Wallpaper Engine (commonly known as “Little Red Car”)

Malicious Dynamic Wallpapers Hide Malware, Stealing Account Data and Cryptocurrency Wallets

Kaspersky further explained that the poisoned malicious wallpapers mainly take advantage of the Application format supported by Wallpaper Engine. This format allows executables to run directly in Windows. The attackers’ methods mainly fall into two categories:

1. Directly bundling malicious files, DLLs, and scripts into the wallpaper package
2. Hiding the malware in password-protected compressed files, and automatically decompressing and executing it through scripts

Kaspersky gave an example: a malicious wallpaper discovered in December 2025 could apparently launch desktop games normally on the surface, but in the background it secretly deployed the DarkKomet backdoor, collecting users’ Steam account information and hijacking login sessions (Sessions).

These malicious wallpapers are provided by multiple independent threat actors. They spread information-stealing software such as Lumma and Vidar, specifically designed to steal credentials, browser data, and cryptocurrency wallet information.

Image source: Kaspersky Example of a poisoned Wallpaper Engine dynamic wallpaper

In December 2025, Kaspersky also reported a similar case: at the time, a batch of pirated software or game modification modules (MODs) disguised as legitimate items were circulating online, and it was mainly about stealing victims’ cryptocurrencies and forcibly installing mining programs.

Malware Infiltration of Steam Is Not the First Case; Multiple Standalone Games Have Also Become Tools for Hiding Malware

Steam has not only seen workshop poisoning; in recent years, multiple standalone games containing hidden viruses have also been released on the platform.

For example, in July 2025, Prodaft, a cybersecurity firm, pointed out that a Steam game called 《Chemia》 was compromised and used to spread malicious software such as Hijack Loader, Fickle Stealer, and Vidar Stealer, with targets directly aimed at cryptocurrency wallets and personal data.

The U.S. Federal Bureau of Investigation (FBI) has also gotten involved and, this March, announced that it is investigating incidents involving multiple Steam games spreading malicious software. The list of implicated titles includes not only 《Chemia》, but also 《PirateFi》, 《BlockBlasters》, 《Dashverse》, and others.

• **Related report:**Steam exposes a major cybersecurity incident! Downloading 《Chemia》 leads to infection and secretly steals cryptocurrency wallet information

With a large number of global gamers—and an even larger MOD community—most players do not have too much awareness or caution toward the game’s main executable, MODs, or workshop content. Kaspersky therefore solemnly calls on users to remain vigilant when downloading user-generated content, confirm the creator’s reputation before installation, and rely on antivirus solutions to detect threats.