News

Wallpaper Engine 2.8.42 Removes Application Wallpapers From the Steam Workshop

Executable "application" wallpapers were used to plant backdoors and infostealers, so the type is gone from the Workshop.

Executable “application” wallpapers were used to plant backdoors and infostealers, so the type is gone from the Workshop.

Wallpaper Engine no longer accepts application wallpapers on the Steam Workshop. The change arrived with version 2.8.42 after security researchers found that this specific wallpaper type was being used to smuggle malware onto users’ PCs, including account-stealing backdoors and cryptocurrency miners.

Quick answer: As of Wallpaper Engine 2.8.42, application wallpapers can no longer be uploaded to or downloaded from the Steam Workshop. If you installed one of these executable wallpapers before the change, run a full scan with an up-to-date antivirus and remove anything it flags.

Image credit: Kristjan Skutta and Tim Eulitz

What changed in Wallpaper Engine 2.8.42

Wallpaper Engine supports four wallpaper types. Three of them render video, interactive scenes, or web pages that can play audio and video. The fourth type, application wallpapers, is different. It runs an actual Windows program and pins its window to your desktop as the background. That covers things like small games, desktop widgets, and system monitoring tools.

Because an application wallpaper is executable code, it can do anything a normal program can. Version 2.8.42 pulls this type from the Steam Workshop entirely, so new application wallpapers can’t be published, and existing ones can’t be fetched through the Workshop anymore. The other three wallpaper types are unaffected.

Image credit: Kristjan Skutta and Tim Eulitz

Why application wallpapers were abused

The executable nature of the feature is exactly what attackers exploited. Starting at least in late 2025, threat actors uploaded booby-trapped application wallpapers to the Steam Workshop and relied on Wallpaper Engine’s large user base, which has close to a million reviews on Steam, to attract victims.

The malware was hidden two ways. Some packages carried the payload directly, while others tucked it inside a password-protected archive that users were tricked into opening. In either case, the malicious code ran automatically the moment the wallpaper was installed, so no extra click was needed to trigger the infection.

Dozens of these malicious wallpapers were circulating, and individual entries had already been downloaded thousands or even tens of thousands of times before removal. One sample posed as a game called NTRaholic. It launched normally to avoid suspicion while quietly installing a DarkKomet backdoor in the background, along with a modified system library named AggregatorHost.dll that hunted for Steam accounts on the machine and stole their credentials.

Image credit: Kristjan Skutta and Tim Eulitz

Malware families found in the wallpapers

The abuse wasn’t limited to a single group. Multiple threat actors pushed different payloads, which is why the samples span several categories of malware.

Threat typeExamples foundWhat it does
BackdoorDarkKometGives an attacker remote control of the system
InfostealerLumma, VidarHarvests credentials and other stored data
Account theftCustom AggregatorHost.dllFinds and steals Steam account credentials
CryptominingMiner processesUses your hardware to mine cryptocurrency
Botnet / loaderBotnet loaders, RanEnginePulls in and runs further malicious payloads
RansomwareVarious strainsEncrypts files and demands payment
Image credit: Kristjan Skutta and Tim Eulitz

What to do if you installed an application wallpaper

Run a full system scan with an up-to-date antivirus product. This is the most reliable way to detect backdoors, infostealers, miners, and ransomware that may have been dropped by a malicious wallpaper. Quarantine or delete anything it flags.
Secure your Steam account. Because some payloads specifically targeted Steam credentials, change your password and confirm that Steam Guard is enabled. Review the list of authorized devices and sign out any you don’t recognize.
Scan anything you fetched from the Steam Workshop before installing or opening it going forward, and stick to content from trusted creators. If a wallpaper asks you to extract a password-protected archive, treat that as a red flag.

You’ll know the cleanup worked when a full antivirus scan comes back clean and your Steam sessions and devices match what you expect. If a scan keeps flagging the same files after removal, the infection may have persistence and the machine likely needs deeper remediation.


Steam identified and removed every malicious application wallpaper that was reported, but new uploads had been expected to follow, which is part of the reason the type was cut from the Workshop rather than simply cleaned up. Removing executable wallpapers from community sharing closes the delivery route these attackers depended on, while video, scene, and web wallpapers continue to work as before.