HiveForce Labs · Threat Advisory · Attack Report
Since at least August 2025, threat actors have weaponized Valve's Steam Workshop platform to distribute DarkKomet, Lumma, Vidar, and RenEngine malware through malicious Wallpaper Engine packages. The campaign exploits the "application wallpaper" feature to execute arbitrary Windows binaries on victim machines — and uses hijacked Steam accounts to self-propagate the infection cycle across the gaming community.
Since at least August 2025, threat actors have abused Valve's Steam Workshop content-sharing platform to distribute malware through the popular Wallpaper Engine desktop application. The attackers exploit Wallpaper Engine's "application wallpaper" type — which executes standalone Windows programs as the desktop background — to run arbitrary code on victim machines. Malicious wallpapers, downloaded thousands of times each, silently deploy backdoors, infostealers, cryptocurrency miners, botnet loaders, and ransomware while presenting a functional game or widget to avoid suspicion. A primary objective across many samples is hijacking the victim's Steam account, which is then reused to upload further malicious wallpapers and sustain distribution.
Threat actors are increasingly abusing Steam Workshop — Valve's community platform for sharing and downloading game-related content — to distribute malware concealed within wallpaper packages. The campaign specifically leverages Wallpaper Engine's "application wallpaper" feature, which allows standalone Windows executables to run as desktop backgrounds, effectively enabling arbitrary code execution on a victim's system without any additional user interaction beyond selecting a wallpaper. Attackers uploaded dozens of malicious wallpapers designed with themes and artwork tailored to gaming audiences, with several attracting thousands or even tens of thousands of downloads before detection.
Two distinct delivery techniques have been observed in this Steam Workshop malware campaign. In the first method, the wallpaper package contains the executable wallpaper alongside malicious EXE files, DLLs, or scripts bundled inside an archive that unpacks automatically upon wallpaper activation. In the second technique, attackers use password-protected archives, with the password either embedded in the archive's filename or stored within a JSON configuration file installed alongside the wallpaper. Victims are either prompted to enter the password themselves or automated scripts retrieve it transparently. In most cases, the malware activates immediately after the wallpaper is selected and applied, leaving no obvious sign of infection.
One analyzed sample disguised as a game called NTRaholic demonstrates how the attack maintains the appearance of normal functionality while malicious activity occurs silently in the background. The wallpaper launches successfully to avoid raising suspicion, while simultaneously dropping a DarkKomet backdoor component named Synaptics.exe. A second executable, ._cache_GAME1.exe, starts the actual game and installs a modified AggregatorHost.dll containing an embedded malicious payload.
Across the broader Steam Workshop campaign, attackers used the same technique to deliver a wide range of threats, including Lumma and Vidar information stealers, the RenEngine loader, cryptocurrency miners, botnet loaders, and ransomware families. Detections span Python-based droppers, backdoors, and credential-stealing Trojans, indicating active adaptation and diversification of payloads by threat actors exploiting this distribution channel.
The malicious AggregatorHost.dll primarily targets Steam accounts by searching for stored credentials and hijacking active sessions. Rather than attempting traditional lateral movement or privilege escalation, the attackers focus on Steam account takeover as the primary post-exploitation objective. Stolen information and credentials are exfiltrated to attacker-controlled infrastructure over HTTP, with one sample communicating with hxxp[:]//120[.]48[.]156[.]17/ey[.]php. Once a Steam account is compromised, it is reused to upload additional malicious wallpapers to Steam Workshop — creating a self-propagating infection cycle that sustains distribution without requiring new attacker infrastructure. The variety of malware families and C2 infrastructure involved suggests that multiple unrelated threat actors are independently adopting the same Steam Workshop distribution technique rather than a single coordinated operation.
Scan Steam Workshop Content Before Applying
Run an up-to-date antivirus or EDR scan on any Wallpaper Engine content downloaded from Steam Workshop — especially "application" type wallpapers — before installing or applying it. Steam's own cleanup mechanisms cannot be relied upon to catch new malicious uploads in time.
Restrict or Avoid Application Wallpapers
Where feasible, avoid the Wallpaper Engine "application" wallpaper type entirely, as it executes arbitrary third-party programs as the desktop background. Prefer video, scene, or web wallpapers sourced only from established, trusted creators with verifiable track records on Steam Workshop.
Hunt for Dropped Artifacts and Hashes
Sweep endpoints for the named malicious artifacts: Synaptics.exe, ._cache_GAME1.exe, and a non-standard AggregatorHost.dll loaded from an unexpected filesystem path. Cross-reference against the full list of MD5 and SHA256 hashes provided in the IoC section of this advisory.
Secure and Re-authenticate Steam Accounts
For any potentially affected user, reset the Steam account password immediately, enable Steam Guard two-factor authentication, deauthorize all active sessions and linked devices, and review the account's recent Workshop uploads for unauthorized or malicious content that may have been staged for further distribution.
Detect Credential Theft and Session Hijacking
Deploy detection rules for processes enumerating the Steam installation directory or accessing Steam session token data. Alert on unexpected loads of a DLL named AggregatorHost.dll from any path outside its legitimate system location, as this is a strong indicator of DLL hijacking associated with this campaign.
Monitor for Cryptomining and Ransomware Behavior
Watch for sustained abnormal CPU and GPU utilization indicative of the cryptocurrency miner payloads deployed in this campaign. Separately, monitor for unauthorized file-encryption activity consistent with the ransomware strains observed across Steam Workshop malware samples.
Treat Password-Protected Archives as High Risk
Flag and investigate any bundled password-protected archives where the password is supplied in the archive filename or embedded within a JSON configuration file. This pattern is a strong and reliable indicator of evasive malicious packaging used throughout this Steam Workshop malware campaign.
| Type | Value |
|---|---|
| MD5 | 95856f2ce428c728d9781d3296558068 af080780cca2acd1d082ce01e7cc346a c133c3dd9f7d6934598025047df41abf d1693bbff456ae8fa3360446706df6da 8c2cc585ad8a13a72a704c0fda0c9854 b9fa763a53da3eea742d0f3c845a8c09 ded08ae5df7f1b12e5fdb767dbbed0b1 20965254e29104986e11939decd39549 18dedc0009f0927cba6425c84cce9883 0f4f01c6d495abb37403072dd017ce8d 5620f01284329f561b1839a36be55355 fe1f6485013cd5e6d5cf718049b0b8d6 74414ed4b63aadec039b603c32762b80 |
| SHA256 | AD545928F9EFD3FE147EB464FE6F2A1A3F5BD0EFB55448D534613002547EF8F3 348608D523B8123B5D2DDE8DDD6F0AA9E23EAF85044A90D35A7DC4705EE406F3 FC586CAD94E5A10DD5BE6A6AE6096BD02DFBFD094365BEC87E788ED0798D6F67 3EC4589BC6793F4029D52960BC87BF481570DF63EB4066FAAA2E167BF343DBAD CD6253B30FEFB564E8C58A1B997C81B370C2FA6E178B2D4A36FAA874BD9727A2 0D9D31E08560618D3C39C1A34DCBF7801EB1C745500B8D8C009592B8A2A79296 287CFEE849FB039C74D55222DB58512D597381C3C30FBD2F1BB1A2500E9A7129 945CCF0610A87EE512298C4A90EE742BA228DC1AD80FA28B894B6C1E9710EFEC 828CBCC61180B4064024401E7698FD1AB08348E6CEA69451555B4C8851C5A585 67D6017242B5B80E6B1BCE78B492F35EF130AAA609099B2D5EC96F6C46C92F57 9DA774D5D0B2A42F8569CDCCE4CB78674A2DE093BFD45AB82C2B6DC4FCA1846C 7257174F1CCD2E8A6A3925CFB078642A9DC282DF8B86184DDF208F752BCEFCFE 97A79D8EED188FB0AD8802D7CD9A7C76309BEBEBBDA8FF34142F41F19D67EB7C |
| IPv4 | 202[.]144[.]192[.]29 120[.]48[.]156[.]17 |
| URLs | hxxp[:]//202[.]144[.]192[.]29 hxxp[:]//202[.]144[.]192[.]29/audit[.]php hxxp[:]//202[.]144[.]192[.]29/download2/Themes2[.]zip hxxp[:]//120[.]48[.]156[.]17 hxxp[:]//120[.]48[.]156[.]17/ey[.]php?ka=user1&id hxxp[:]//brightly[.]to hxxp[:]//brightly[.]to/download2/Themes2[.]zip hxxps[:]//www[.]dropbox[.]com/s/zhp1b06imehwylq/Synaptics[.]rar?dl=1 hxxps[:]//docs[.]google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3603213159 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3591930233 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3584318845 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3436875036 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3633494498 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3556591375 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3635875825 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3601924072 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3605588743 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3553253793 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3462675635 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3605621824 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3610240788 hxxps[:]//steamcommunity[.]com/sharedfiles/filedetails/?id=3610366547 |
Stage Capabilities
T1608.001 — Upload Malware
User Execution
T1204.002 — Malicious File
Obfuscated Files or Information
T1027.013 — Encrypted/Encoded File
Masquerading
T1036.005 — Match Legitimate Name or Location
File and Directory Discovery
— No sub-technique
Application Layer Protocol
T1071.001 — Web Protocols
Exfiltration Over C2 Channel
— No sub-technique
Resource Hijacking
T1496.001 — Compute Hijacking
Data Encrypted for Impact
— No sub-technique
