Hackers Hide Crypto-Stealing Malware in Anime Wallpapers on Steam, Targeting Millions of Gamers

Cybersecurity researchers have uncovered a widespread malware campaign that uses anime-themed desktop wallpapers to infect gamers with software capable of stealing cryptocy wallets, browser passwords, Steam accounts, and other sensitive data. The attack exploits Wallpaper Engine, one of Steam’s most popular desktop customization applications, by disguising malware as animated wallpapers distributed through the Steam Workshop. Researchers warn that some of the infected wallpapers were downloaded thousands—and in some cases tens of thousands—of times before being removed.

The discovery highlights a growing trend in cybercrime where attackers are abusing trusted platforms instead of relying on phishing emails or fake websites. Because the malicious files were hosted through Steam’s official community platform, many users assumed the downloads were safe, allowing the malware to spread rapidly among gamers and cryptocy holders.

How the Attack Worked

According to cybersecurity firm Kaspersky, attackers targeted Wallpaper Engine’s “Application Wallpaper” feature, which allows wallpapers to run executable programs on a Windows computer. While the feature enables developers to create interactive wallpapers, calendars, mini-games, and other desktop applications, it also provides an opportunity for attackers to execute malicious code under the guise of legitimate content.

Rather than simply displaying animated backgrounds, the infected wallpapers secretly installed malware as soon as users activated them. In many cases, the wallpapers functioned normally, making it difficult for victims to realize their computers had been compromised.

Crypto Wallets and Steam Accounts Were Primary Targets

Researchers identified multiple malware families hidden inside the wallpaper packages, including:

• Lumma infostealer
• Vidar infostealer
• DarkKomet backdoor
• RenEngine loader
• Cryptocy miners
• Ransomware payloads

These programs were designed to steal cryptocy wallet credentials, browser passwords, saved login information, Steam session tokens, and other sensitive files. In some cases, attackers hijacked victims’ Steam accounts and used those compromised accounts to upload additional malicious wallpapers, helping the campaign spread even further.

Because many cryptocy wallets store credentials within browsers or desktop applications, infected users risked losing access to both gaming accounts and digital assets.

Anime Wallpapers Helped Hide the Malware

Many of the malicious wallpapers featured popular anime-style female characters, allowing them to blend naturally into one of Steam Workshop’s most popular content categories.

Researchers believe the visual style was intentionally chosen because anime-themed wallpapers consistently receive large download volumes from Wallpaper Engine users. The familiar appearance reduced suspicion while increasing the likelihood that gamers would install the files without carefully inspecting them.

Kaspersky noted that the campaign does not appear to be operated by a single hacking group. Instead, multiple independent threat actors were observed using similar techniques to distribute malware through the platform.

Valve Removed the Infected Wallpapers

After receiving Kaspersky’s report, Valve removed the identified malicious wallpaper packages from Steam Workshop. However, researchers caution that new malicious uploads can appear at any time because Steam Workshop allows users to continuously publish new community content. Simply seeing a high download count or positive ratings should not be considered proof that a wallpaper is safe. Several infected files accumulated tens of thousands of downloads before they were detected and removed.

The campaign primarily targeted users in China and Russia, but infections were also identified in Germany, Singapore, Hong Kong, Vietnam, India, Canada, and several other countries.

How Users Can Protect Themselves

Security researchers recommend several precautions for anyone using Wallpaper Engine or downloading community-created content through Steam:

• Download wallpapers only from trusted creators with established reputations.
• Keep antivirus software enabled and updated.
• Avoid application-based wallpapers unless you fully trust the publisher.
• Scan downloaded files before installing them.
• Enable two-factor authentication on both Steam and cryptocy accounts.
• Avoid storing large cryptocy holdings in browser-based wallets on gaming PCs.

These steps can significantly reduce the risk of malware infections and unauthorized account access.