Sophisticated Malware Campaign Exploits Steam Workshop to Target Gamers
A recent malware campaign has leveraged Steam Workshop and Wallpaper Engine to distribute backdoors, infostealers, and crypto miners, primarily affecting gamers in China (89% of cases) and Russia (5.5%), with additional infections reported in Singapore, Hong Kong, Germany, Vietnam, India, and Canada.
How the Attack Works
Threat actors abused Wallpaper Engine’s "application" wallpaper type, which allows standalone executables to run as animated desktop backgrounds. By embedding malicious payloads within these wallpapers often hidden in password-protected archives or bundled with legitimate files attackers tricked users into executing arbitrary code upon installation.
Once activated, the malware deployed in multiple stages:
- A backdoor (e.g., Synaptics.exe, linked to the DarkKomet family) was dropped.
- A secondary module (e.g., ._cache_GAME1.exe) installed a tampered system library (AggregatorHost.dll).
- The library hijacked active Steam sessions, harvesting authentication tokens and credentials.
- Stolen data was exfiltrated to attacker-controlled servers (e.g., hxxp://120.48.156[.]17/ey.php), enabling account takeovers and further malicious uploads via compromised profiles.
Malware Arsenal & Impact
The campaign distributed a diverse toolkit, including:
- Infostealers (Vidar, Lumma)
- Backdoors (DarkKomet)
- Crypto miners (sapping system resources)
- Ransomware variants
- Python-based trojans
Localized artwork and titles suggested deliberate targeting of Chinese users, though the infrastructure could be repurposed globally.
Steam’s Response & Detection
Steam removed identified malicious Workshop items, but the incident highlights platform moderation challenges against persistent abuse. Security vendors detected samples using heuristics like HEUR:Trojan-PSW.Win32.gen and HEUR:Backdoor.Win32.DarkKomet, though proactive defenses are required to mitigate risks.
The attack underscores a growing trend: legitimate community platforms are increasingly weaponized to bypass traditional security measures.
Source: https://gbhackers.com/steam-workshop-malware-campaign/
Valve TPRM report: https://www.rankiteo.com/company/valve-corporation
"id": "val1781684649",
"linkid": "valve-corporation",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Gamers (89% in China, 5.5% in '
'Russia, others in Singapore, '
'Hong Kong, Germany, Vietnam, '
'India, Canada)',
'industry': 'Video Games',
'location': 'Global (primarily China, Russia, '
'Singapore, Hong Kong, Germany, Vietnam, '
'India, Canada)',
'name': 'Steam (Valve Corporation)',
'type': 'Gaming Platform'}],
'attack_vector': 'Steam Workshop, Wallpaper Engine (malicious wallpaper '
'executables)',
'data_breach': {'data_exfiltration': 'Yes (to attacker-controlled servers: '
'hxxp://120.48.156[.]17/ey.php)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (authentication tokens, '
'credentials)',
'type_of_data_compromised': ['Authentication tokens',
'Credentials',
'Personally identifiable '
'information']},
'description': 'A recent malware campaign has leveraged Steam Workshop and '
'Wallpaper Engine to distribute backdoors, infostealers, and '
'crypto miners, primarily affecting gamers. Threat actors '
"abused Wallpaper Engine’s 'application' wallpaper type to "
'embed malicious payloads, leading to the deployment of '
'backdoors, infostealers, and crypto miners. The malware '
'hijacked active Steam sessions, harvesting authentication '
'tokens and credentials, and exfiltrated stolen data to '
'attacker-controlled servers.',
'impact': {'brand_reputation_impact': 'Moderation challenges for Steam, '
'potential erosion of user trust',
'data_compromised': 'Authentication tokens, credentials, '
'personally identifiable information',
'identity_theft_risk': 'High (harvested credentials and '
'authentication tokens)',
'operational_impact': 'System resource sapping (crypto miners), '
'account takeovers',
'systems_affected': 'Gaming PCs, Steam accounts'},
'initial_access_broker': {'backdoors_established': 'Yes (e.g., Synaptics.exe, '
'DarkKomet family)',
'entry_point': 'Steam Workshop (malicious wallpaper '
'executables)',
'high_value_targets': 'Steam accounts with active '
'sessions'},
'lessons_learned': 'Legitimate community platforms are increasingly '
'weaponized to bypass traditional security measures. '
'Proactive defenses and platform moderation are critical '
'to mitigating such risks.',
'motivation': 'Data theft, account takeovers, crypto mining, ransomware '
'deployment',
'post_incident_analysis': {'corrective_actions': 'Enhanced moderation of '
'Workshop items, heuristic '
'detection for malware, user '
'education on risks of '
'untrusted executables',
'root_causes': 'Abuse of legitimate platform '
'features (Wallpaper Engine’s '
'executable wallpapers), lack of '
'proactive detection for malicious '
'payloads'},
'ransomware': {'ransomware_strain': 'Variants (unspecified)'},
'recommendations': 'Enhance platform moderation, implement heuristic '
'detection for malicious payloads, educate users on risks '
'of executing untrusted files, and monitor for unusual '
'session activity.',
'references': [{'source': 'Cybersecurity Report'}],
'response': {'containment_measures': 'Removal of malicious Workshop items',
'incident_response_plan_activated': 'Steam removed identified '
'malicious Workshop items'},
'title': 'Sophisticated Malware Campaign Exploits Steam Workshop to Target '
'Gamers',
'type': 'Malware Campaign',
'vulnerability_exploited': "Abuse of Wallpaper Engine’s 'application' "
'wallpaper type to execute arbitrary code'}