The Steam Workshop Is Being Used To Spread Malware To Thousands Of Users

By Aaron Greenbaum
Steam app homepage on a smartphone Koshiro K/Shutterstock

One of the best arguments for buying games through Steam is the Steam Workshop. This community hub lets users seamlessly download and install mods for their favorite games. No searching for the right files and the folders they go in; Steam Workshop does all the hard work. However, since all the content is user-created, sometimes malicious coders upload virus-laden items, and victims are often none the wiser.

Earlier this week, Kaspersky (yes, the company that made an antivirus suite the FCC called a national security threat) blew the whistle on a new virus that hijacks Steam user accounts. This news came several months after the FBI warned about seven Steam games hiding malware. According to Kaspersky, hackers are exploiting the sharing features of Steam Workshop's Wallpaper Engine. Unlike your average computer wallpaper, the Wallpaper Engine specializes in animated wallpapers (think the animated backgrounds you can get on your Xbox Series X/S and PlayStation 5), so there's more space for hackers to hide malicious code.

Kaspersky's analysis indicates that while only "dozens" of these malware-laden wallpapers exist, they are extremely popular — each has been downloaded thousands or tens of thousands of times. While anyone who installs the wallpapers will get infected, currently the people who built them are mostly targeting Chinese players. How so? The art styles and titles are "tailored specifically to them." 89% of all victims hail from China, followed by Russia at 5.5%.

How the virus functions

Artistic rendition of a laptop attacked by malware with red exclamation point Pungu x/Shutterstock

As previously stated, the virus is designed to attract people with certain sensibilities. The wallpapers lure victims in with images of women that can be best described as waifu material. And then when downloaded, the virus springs into action.

According to Kaspersky's analysis, once the wallpaper is launched, it installs a backdoor and an executable file that acts as a "game" while also digging for Steam account credentials. Once the executable has what it needs, it sends the data to a server that the hacker owns. From there, they have full control over your account; they can change your password, steal your credit card information, and upload more infested wallpapers under your name. Oh, and they can also hide all of your files behind ransomware and install crypto miner software if they want.

Kaspersky claims the malware is spread in two ways. The first is the most straightforward: Hackers draw from an archive of wallpapers compromised with malicious EXE files, DLLs, and scripts. However, Kaspersky says some versions of the malware spread by turning victims into unwitting gofers. Basically, the target is tricked into accessing a protected archive containing the malware by entering its password. Although, sometimes the hacker installs a script that does it for them — not all of us are technologically literate enough to shoot ourselves in the foot.

What you can do to stay safe

Artistic rendition of antivirus program with lock icons Just_super/Getty Images

Obviously, the best way to avoid this malware is to stay clear of Steam Workshop's Wallpaper Engine for the time being. If you really need a special wallpaper, use obscure Windows apps such as WinDynamicDesktop or download Van Gogh-inspired wallpapers for your Mac. However, let's assume that you downloaded these wallpapers before reading this article. You're not doomed just yet.

Kaspersky's data shows that while the delivery method is somewhat novel, the malware itself relies on familiar faces within the cybersecurity community. These include programs such as DarkKomet, the Lumma and Vidar infostealers, and the RenEngine loader. Many existing antivirus suites (including Kaspersky's own program, obviously) can locate and quarantine these viruses. Kaspersky recommends looking for the following detections:

  • HEUR: Rojan-PSW.Win32.gen

  • HEUR:Trojan-PSW.Win32.Python.gen

  • HEUR Backdoor.Win32.DarkKomet

  • Trojan-Dropper.Python.Agent

  • HEUR: Trojan-Random.Win32.Gen.gen

  • PDM: Trojan.Win32.Generic

If your anti-malware program finds any of these objects, assume your computer has been compromised. Quarantine or delete the viruses, then hire a good computer repair technician to scrub your PC. Don't forget to reset all your passwords, and setup two-factor authentication while you're at it. Just be patient and thorough, and everything should go back to normal eventually.

Recommended