Steam Workshop has become a vector for malware that targets gamers in China and Russia. Attackers embed malicious code inside Wallpaper Engine application wallpapers. When users download and activate a seemingly harmless design, the payload drops the Dark Komet backdoor and a custom Aggregator Host.dll that hunts Steam credentials.

The infection chain begins when the ._cache_GAME1.exe module launches the game wallpaper NTRaholic while also installing the altered library. The DLL pulls the Steam app, hijacks the session, and exfiltrates data to a command‑and‑control server at 120.48.156.17. Hundreds of thousands of downloads show the attack’s reach.

Kaspersky’s analysis identified classic threats such as the Lumma and Vidar infostealers, plus crypto miners. Steam already removed the flagged wallpapers, yet new variants appear daily. Users in China account for 89% of malicious attempts, with Russia following at 5.5%. A simple antivirus scan can neutralize most payloads before installation.

This case exposes the risk of open‑source content platforms when they allow executable assets. Developers should review application wallpaper submissions for embedded binaries and enforce strict signing. Meanwhile, gamers should treat any third‑party desktop art as potentially hostile unless verified by a reputable source or scanned by up‑to‑date security software.