7 minhigh
Dozens of malicious wallpapers found on Steam Workshop: gamers’ accounts at risk
Cybercriminals are abusing the 'application wallpapers' feature of Wallpaper Engine on Steam Workshop to distribute malware, including DarkKomet, Lumma, and Vidar. The malicious wallpapers drop backdoors and patched system libraries to hijack active Steam sessions, primarily targeting gamers in China and Russia.
Conf:highAnalyzed:2026-06-16Google
Authors:
Showing defanged values
- domainbrightly[.]toC2 domain hosting malicious payloads and receiving exfiltrated data.
- filenameAggregatorHost.dllPatched system library used to hunt for Steam processes and steal session credentials.
- filename._cache_GAME1.exeExecutable that launches the benign game interface while simultaneously installing the malicious DLL.
- filenameSynaptics.exeBackdoor executable (DarkKomet family) dropped by the malicious wallpaper.
- ip120[.]48[.]156[.]17C2 server IP address receiving stolen Steam session credentials.
- ip202[.]144[.]192[.]29C2 server IP address used in the malicious wallpaper campaign.
- md50f4f01c6d495abb37403072dd017ce8dMalicious file hash associated with the campaign
- md518dedc0009f0927cba6425c84cce9883Malicious file hash associated with the campaign
- md520965254e29104986e11939decd39549Malicious file hash associated with the campaign
- md55620f01284329f561b1839a36be55355Malicious file hash associated with the campaign
- md574414ed4b63aadec039b603c32762b80Malicious file hash associated with the campaign
- md58c2cc585ad8a13a72a704c0fda0c9854Malicious file hash associated with the campaign
- md595856f2ce428c728d9781d3296558068Malicious file hash associated with the campaign
- md5af080780cca2acd1d082ce01e7cc346aMalicious file hash associated with the campaign
- md5b9fa763a53da3eea742d0f3c845a8c09Malicious file hash associated with the campaign
- md5c133c3dd9f7d6934598025047df41abfMalicious file hash associated with the campaign
- md5d1693bbff456ae8fa3360446706df6daMalicious file hash associated with the campaign
- md5ded08ae5df7f1b12e5fdb767dbbed0b1Malicious file hash associated with the campaign
- md5fe1f6485013cd5e6d5cf718049b0b8d6Malicious file hash associated with the campaign
- urlhxxp://120[.]48[.]156[.]17/ey[.]phpC2 endpoint for exfiltration
- urlhxxp://120[.]48[.]156[.]17/ey[.]php?ka=user1&idC2 endpoint used for exfiltrating stolen Steam session data.
- urlhxxp://202[.]144[.]192[.]29/audit[.]phpC2 endpoint
- urlhxxp://202[.]144[.]192[.]29/download2/Themes2[.]zipPayload hosting URL
- urlhxxp://brightly[.]to/download2/Themes2[.]zipPayload hosting URL
- urlhxxps://docs[.]google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadMalicious payload hosted on Google Drive
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3436875036Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3462675635Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3553253793Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3556591375Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3584318845Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3591930233Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3601924072Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3603213159Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3605588743Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3605621824Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3610240788Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3610366547Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3633494498Malicious Steam Workshop wallpaper URL
- urlhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3635875825Malicious Steam Workshop wallpaper URL
- urlhxxps://www[.]dropbox[.]com/s/zhp1b06imehwylq/Synaptics[.]rar?dl=1Malicious payload hosted on Dropbox
Detection / HunterGoogle
What Happened
Hackers are hiding malicious software inside custom animated wallpapers shared on the Steam Workshop for the popular app Wallpaper Engine. This campaign primarily affects gamers in China and Russia who download these custom backgrounds. It matters because downloading these infected files can lead to stolen Steam account credentials, or leave computers infected with programs that secretly mine cryptocurrency or lock files for ransom. Users should be cautious when downloading interactive wallpapers and ensure their antivirus software is active and up to date.
Key Takeaways
- Attackers are exploiting Wallpaper Engine's 'application wallpapers' feature on Steam Workshop to distribute malware.
- The campaign primarily targets gamers in China (89%) and Russia, aiming to hijack Steam accounts.
- Malware payloads include DarkKomet, Lumma, Vidar infostealers, and the RenEngine loader.
- The attack chain involves dropping a backdoor (Synaptics.exe) and a patched system library (AggregatorHost.dll) to steal Steam session data.
- Stolen session credentials are exfiltrated to attacker-controlled C2 servers to hijack accounts and upload more malicious wallpapers.
Affected Systems
- Windows systems running Steam and Wallpaper Engine
Attack Chain
The victim downloads a malicious 'application wallpaper' from the Steam Workshop via Wallpaper Engine. Upon execution, the wallpaper drops a backdoor named Synaptics.exe into C:\ProgramData\Synaptics\ and launches ._cache_GAME1.exe. This secondary executable runs the benign game interface while simultaneously installing a patched AggregatorHost.dll. The modified DLL searches for steam.exe or steamchina.exe processes, hijacks the active Steam session, and exfiltrates the session credentials to an attacker-controlled C2 server.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Kaspersky
The article does not provide raw detection rules, but lists Kaspersky heuristic and generic detection verdicts (e.g., HEUR:Trojan-PSW.Win32.gen).
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should easily detect the dropping of executables (Synaptics.exe) in ProgramData, the execution of unverified binaries from Steam Workshop directories, and anomalous process injection or memory reading targeting steam.exe. Network Visibility: Medium — Network monitoring can detect outbound HTTP connections to known C2 IPs or unusual domains, though Steam traffic itself is noisy. Detection Difficulty: Moderate — While the malware uses legitimate platforms (Steam) for delivery, the post-exploitation behavior (dropping executables in ProgramData, reading Steam process memory) is highly anomalous and detectable.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- File Creation (Sysmon Event ID 11)
- Network Connections (Sysmon Event ID 3)
Hunting Hypotheses
copy:
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for the creation or execution of 'Synaptics.exe' from the 'C:\ProgramData\Synaptics' directory, which is highly anomalous for legitimate Synaptics drivers. | File Creation, Process Creation | Persistence / Execution | Low |
| Look for unexpected child processes spawned by Wallpaper Engine or Steam Workshop application files, particularly those dropping DLLs or EXEs. | Process Creation | Execution | Medium |
| Monitor for unauthorized processes attempting to read the memory of 'steam.exe' or 'steamchina.exe' to detect session hijacking attempts. | Process Access / API Calls | Credential Access | Medium |
Control Gaps
- Lack of application control/whitelisting for Steam Workshop executables
- Insufficient memory protection for user-mode applications like Steam
Key Behavioral Indicators
- Creation of AggregatorHost.dll in non-standard directories or with mismatched hashes
- Execution of files named ._cache_GAME1.exe
- Outbound HTTP requests to bare IP addresses from game-related processes
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If applicable, block the identified C2 IP addresses and domains at the network perimeter.
- Search endpoint telemetry for the presence of 'Synaptics.exe' in the 'C:\ProgramData\Synaptics' directory.
Infrastructure Hardening
- Consider implementing application control policies to restrict the execution of unapproved binaries from user-writable directories.
User Protection
- Ensure endpoint antivirus and EDR solutions are active, updated, and configured to scan downloaded files.
- If Steam is permitted on corporate assets, consider restricting the use of Wallpaper Engine or its 'application wallpapers' feature.
Security Awareness
- Educate users about the risks of downloading executable content disguised as media or wallpapers from community workshops.
MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File
- T1036 - Masquerading
- T1539 - Steal Web Session Cookie
- T1059 - Command and Scripting Interpreter
- T1071.001 - Application Layer Protocol: Web Protocols
Additional IOCs
- Ips:
120[.]48[.]156[.]17- C2 server IP address202[.]144[.]192[.]29- C2 server IP address
- Domains:
brightly[.]to- C2 domain
- Urls:
hxxp://202[.]144[.]192[.]29/audit.php- C2 endpointhxxp://202[.]144[.]192[.]29/download2/Themes2.zip- Payload hosting URLhxxp://120[.]48[.]156[.]17/ey.php- C2 endpoint for exfiltrationhxxp://brightly[.]to/download2/Themes2.zip- Payload hosting URLhxxps://www[.]dropbox[.]com/s/zhp1b06imehwylq/Synaptics.rar?dl=1- Malicious payload hosted on Dropboxhxxps://docs[.]google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download- Malicious payload hosted on Google Drivehxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3603213159- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3591930233- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3584318845- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3436875036- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3633494498- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3556591375- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3635875825- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3601924072- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3605588743- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3553253793- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3462675635- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3605621824- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3610240788- Malicious Steam Workshop wallpaper URLhxxps://steamcommunity[.]com/sharedfiles/filedetails/?id=3610366547- Malicious Steam Workshop wallpaper URL
- File Hashes:
95856f2ce428c728d9781d3296558068(MD5) - Malicious file hash associated with the campaignaf080780cca2acd1d082ce01e7cc346a(MD5) - Malicious file hash associated with the campaignc133c3dd9f7d6934598025047df41abf(MD5) - Malicious file hash associated with the campaignd1693bbff456ae8fa3360446706df6da(MD5) - Malicious file hash associated with the campaign8c2cc585ad8a13a72a704c0fda0c9854(MD5) - Malicious file hash associated with the campaignb9fa763a53da3eea742d0f3c845a8c09(MD5) - Malicious file hash associated with the campaignded08ae5df7f1b12e5fdb767dbbed0b1(MD5) - Malicious file hash associated with the campaign20965254e29104986e11939decd39549(MD5) - Malicious file hash associated with the campaign18dedc0009f0927cba6425c84cce9883(MD5) - Malicious file hash associated with the campaign0f4f01c6d495abb37403072dd017ce8d(MD5) - Malicious file hash associated with the campaign5620f01284329f561b1839a36be55355(MD5) - Malicious file hash associated with the campaignfe1f6485013cd5e6d5cf718049b0b8d6(MD5) - Malicious file hash associated with the campaign74414ed4b63aadec039b603c32762b80(MD5) - Malicious file hash associated with the campaign
- File Paths:
C:\ProgramData\Synaptics\Synaptics.exe- Path where the DarkKomet backdoor is dropped.