Full Report
Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform's built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia.
Analysis Summary
Based on the provided context regarding the 2025-2026 Steam Workshop campaign, here is the summary of the threat.
# Tool/Technique: Malicious Steam Workshop Wallpapers
## Overview
This campaign involves attackers uploading malicious "wallpapers" to the Steam Workshop, specifically targeting users of the "Wallpaper Engine" application. By abusing the platform's trust and automated content delivery, attackers distribute malware disguised as legitimate customization content to gamers, primarily in Russia and China.
## Technical Details
- **Type:** Malware (Trojan / Infostealer)
- **Platform:** Windows (via Steam Client / Wallpaper Engine)
- **Capabilities:** Credential theft, account takeover, session hijacking, and remote code execution via malicious scripts embedded in wallpaper assets.
- **First Seen:** Late 2025
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools] (Abusing trusted content platforms)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols] (HTTPS)
## Functionality
### Core Capabilities
- **Social Engineering:** Uses attractive or trending "wallpaper" themes (often adult-themed or trending game art) to entice downloads.
- **Data Exfiltration:** Harvests Steam session tokens, browser cookies, and saved passwords to facilitate account hijacking.
- **Persistence:** Stays on the system as long as the Wallpaper Engine application is active and the "subscribed" malicious content is loaded.
### Advanced Features
- **Geographic Targeting:** Specifically localized metadata for Russian and Chinese audiences to maximize infection rates in those regions.
- **Steam API Abuse:** Some variants use the Steam API to further spread via the victim's friends list or by automatically posting positive reviews on the malicious Workshop item to increase its visibility.
## Indicators of Compromise
- **File Names:** `project.json` (maliciously modified), `wallpaper.mp4.exe`, `scene.pkg` (injected with shellcode).
- **Network Indicators:**
- `http[:]//steam-community[.]ru/auth` (Defanged phishing/C2)
- `https[:]//api-steam[.]cloud/` (Defanged C2)
- `cdn.discordapp[.]com/attachments/...` (Used for hosting second-stage payloads)
- **Behavioral Indicators:**
- `wallpaper32.exe` or `wallpaper64.exe` spawning `cmd.exe` or `powershell.exe`.
- Unexpected outbound connections to non-Valve/Steam IP addresses from the Wallpaper Engine process.
## Associated Threat Actors
- **Uncategorized/Emerging:** Currently attributed to financially motivated threat actors focusing on "Steam Stealers" and the resale of high-value gaming accounts.
## Detection Methods
- **Signature-based detection:** Modern AV/EDR solutions flag the extracted `.exe` or script files within the Steam `workshop/content/` folder.
- **Behavioral detection:** Monitoring for child processes initiated by `wallpaper32.exe` or `wallpaper64.exe`.
- **Manual Verification:** Inspecting the `project.json` in downloaded Steam Workshop folders for suspicious "script" or "plugin" entries that point to external URLs.
## Mitigation Strategies
- **Prevention measures:**
- Avoid downloading Steam Workshop content with zero reviews or from newly created accounts.
- Disable "Enable Scripts" or "Plugin Support" within the Wallpaper Engine settings if not strictly required.
- **Hardening recommendations:**
- Enable Steam Guard (Mobile Authenticator) to prevent account takeover even if credentials/tokens are stolen.
- Regularly clear browser cookies/cache.
## Related Tools/Techniques
- **Steam Stealers:** Generic class of malware designed to hijack Steam accounts.
- **Living-off-the-Land (LotL):** Using the legitimate Steam infrastructure to host and distribute malicious payloads.