Wallpaper Engine Malware Hijacks Steam Workshop to Steal Crypto Wallet Data

Kaspersky discovered dozens of malicious Wallpaper Engine packages on Steam's Workshop containing Lumma and Vidar infostealers designed to harvest cryptocurrency wallet data and browser credentials. The malware, which accumulated thousands of installations, represents a sophisticated supply-chain attack exploiting a legitimate platform to target crypto users.

The Wallpaper Engine malware campaign demonstrates how threat actors continue to exploit legitimate distribution channels to reach cryptocurrency users at scale. By disguising infostealers within seemingly benign wallpaper downloads—either hidden in password-protected archives or bundled directly into files—attackers bypass traditional security measures and gain access to high-value targets. Kaspersky's identification of dozens of malicious packages with thousands of combined installations suggests the campaign operated successfully for an extended period before detection.

This incident fits within a broader pattern of Steam-based malware distribution that has drawn FBI attention. Previous investigations documented similar attacks through titles like PirateFi and Tokenova, indicating that gaming platforms have become preferred vectors for crypto-targeting malware. The consistency of these campaigns highlights a structural vulnerability: Steam's decentralized Workshop system, while democratizing content creation, creates enforcement challenges that malicious actors systematically exploit.

For cryptocurrency users and investors, this attack underscores the persistent threat landscape surrounding wallet security and credential theft. Lumma and Vidar infostealers specifically target browser cookies, passwords, and wallet extensions—assets that directly enable account takeovers and fund theft. The use of legitimate applications as infection vectors means traditional antivirus solutions may overlook threats, placing responsibility on individual users to verify application authenticity.

Moving forward, platforms like Steam face pressure to implement stricter vetting procedures for Workshop submissions, particularly for packages targeting technical audiences. Users should adopt hardware wallet solutions and multi-signature authentication to mitigate infostealer risks. The incident reveals that security vulnerabilities in gaming ecosystems have direct financial consequences for the crypto community.

• →Malicious Wallpaper Engine packages with thousands of installations deployed Lumma and Vidar infostealers targeting crypto wallets and browser credentials.
• →Threat actors hid malware in password-protected archives and bundled payloads within legitimate-appearing wallpaper files to evade detection.
• →Steam Workshop's decentralized model creates enforcement gaps that criminals exploit for supply-chain attacks against high-value crypto users.
• →The FBI has previously investigated Steam-distributed malware across multiple crypto-related titles, indicating a systemic problem.
• →Users should prioritize hardware wallets and multi-signature authentication rather than relying solely on browser-based wallet security.