Hackers Abuse Steam Wallpaper Engine to Steal Crypto Wallet Data

• Attackers hid malicious programs inside Wallpaper Engine Workshop packages.
• Some uploads used anime-style images to attract thousands of downloads.
• The malware targeted Steam accounts, browser credentials, and crypto wallets.

Hackers have turned animated desktop backgrounds into a delivery channel for credential-stealing malware, placing Steam users and cryptocurrency holders at risk.

Cybersecurity researchers at Kaspersky found dozens of malicious uploads inside Steam Workshop packages created for Wallpaper Engine. Several appeared to be ordinary live wallpapers, often featuring anime-style female characters, while concealed files executed malware on Windows computers.

Some of the affected uploads reportedly attracted thousands or tens of thousands of installations before discovery.

Wallpaper Packages Concealed Executable Files

Wallpaper Engine allows users to download animated and interactive desktop backgrounds through Steam Workshop. Unlike a standard image file, some application wallpapers can include executable programs, scripts, and supporting libraries.

Attackers used that feature to package EXE files, DLLs, and scripts alongside legitimate-looking wallpaper content. Once users downloaded and opened the package, the additional files could launch outside the visible wallpaper experience.

The campaign primarily targeted users in China and Russia, although researchers also identified activity in countries including Germany, Canada, Singapore, and Hong Kong.

Notably, the malicious uploads relied on familiar visual themes rather than obvious cryptocurrency promotions. That approach allowed the files to appear similar to ordinary community-created wallpapers.

Related: HIVE Stock Jumps After $220M Bell and Cohere AI Cloud Deal

Malware Targets Accounts and Crypto Wallets

Kaspersky said the packages could steal Steam login details and hijack active account sessions. Some also installed infostealers, including Lumma and Vidar.

Those malware families collect information stored across a computer, including browser passwords, cookies, autofill records, and saved login credentials. They may also search for cryptocurrency wallet extensions, local wallet files, and other data connected to digital assets.

Session theft creates another risk. An attacker who obtains an active browser or Steam session may access an account without the victim having to enter their password again.

The incident did not involve a direct compromise of blockchain code or a smart contract. Instead, attackers targeted the devices and credentials people use to reach financial accounts.

Related: Billions Lost as Crypto Hackers Shift Focus Beyond Code Flaws

Crypto Attacks Shift Beyond Code Vulnerabilities

Meanwhile, a recent Oak Security report found that major cryptocurrency thefts increasingly begin outside smart contract code.

Attackers are focusing on stolen private keys, compromised credentials, phishing, malicious software updates, and weak internal controls. Traditional audits can identify errors in deployed code, but they cannot stop a user from installing a disguised executable or surrendering account access.

Cybercriminal groups, including North Korea-linked operators, have stolen more than $2.2 billion from crypto platforms since 2022, according to figures cited in the report.

The Wallpaper Engine campaign follows that broader pattern. Rather than breaking a wallet’s cryptography, the malware attempts to capture the information needed to access it.

Kaspersky identified malicious Workshop packages and reported the findings as researchers tracked the campaign. The discovery shows how software distributed for routine personalization can become an entry point for account theft when executable content is hidden behind a familiar download.