Kaspersky has uncovered a malware campaign distributing malicious Wallpaper Engine downloads through Steam Workshop, disguised as animated wallpapers, many featuring anime characters. The malware, found in dozens of packages with thousands of installs, steals Steam credentials, hijacks sessions, and deploys additional payloads including Lumma and Vidar infostealers. These stealers target browser data, credentials, and cryptocurrency wallet information. The attackers also used the RenEngine loader and sometimes hid malware inside password-protected archives that unpacked after installation. Victims are primarily in China and Russia, but also in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. Kaspersky notes the activity involves multiple threat actors and emphasizes the risk of trusting content on legitimate platforms like Steam. This incident follows prior Steam-related malware attacks, including the compromised Early Access game Chemia in July 2025 and an FBI investigation into several compromised games in March 2025.

Key facts

• Malicious Wallpaper Engine mods on Steam disguised as anime wallpapers.
• Malware steals Steam credentials, hijacks sessions, drops Lumma and Vidar stealers.
• Dozens of infected packages had thousands of installs each.
• Victims mainly in China and Russia, also across Asia and Europe.
• Follows recent Steam malware incidents like Chemia game compromise.