Kaspersky reported that malicious Wallpaper Engine packages uploaded to Steam Workshop have been downloaded thousands of times, stealing Steam credentials, hijacking active sessions, and delivering additional payloads such as the Lumma and Vidar infostealers.
Distribution Method and Payloads
Kaspersky’s analysis showed that attackers disguised animated wallpapers—many featuring female anime artwork—as legitimate content, exploiting the application‑based wallpaper feature that runs executable code on Windows machines. The malicious packages not only captured login details but also installed the RenEngine loader, which subsequently fetched the Lumma and Vidar infostealers. These malware families target browser data and cryptocurrency wallet information, posing a direct threat to crypto investors.
Geographic Scope and Threat Actors
The campaign primarily affected users in China and Russia, while infections were also recorded in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. Kaspersky identified multiple threat groups behind the operation, indicating a coordinated effort rather than a single actor. The widespread distribution underscores the need for heightened vigilance among gamers and crypto holders alike.