The Steam Workshop is used to distribute malware to thousands of users

One of the best arguments for purchasing games through Steam is the Steam Workshop. This community hub allows users to seamlessly download and install mods for their favorite games. No searching for the right files and the folders they are in; Steam Workshop does all the work. However, since all content is user-created, sometimes malicious coders upload virus-laden material, and victims are often unaware of this.

Earlier this week, Kaspersky (yes, the company that created an antivirus suite that the FCC called a national security threat) exposed a new virus that is hijacking Steam user accounts. This news came several months after the FBI warned of seven Steam games hiding malware. According to Kaspersky, hackers are exploiting the sharing features of Steam Workshop’s Wallpaper Engine. Unlike your average computer wallpaper, Wallpaper Engine specializes in live wallpapers (think animated backgrounds you can get on your Xbox Series X/S and PlayStation 5), which gives hackers more space to hide malicious code.

Kaspersky’s analysis indicates that although there are only “dozens” of these malware-laden wallpapers, they are extremely popular: each has been downloaded thousands, if not tens of thousands, of times. Although anyone who installs the wallpapers will be infected, the people who created them are currently primarily targeting Chinese gamers. How so? Art styles and titles are “specially tailored to them.” 89% of all victims come from China, followed by Russia with 5.5%.

As previously stated, the virus is designed to attract people with certain sensitivities. The wallpapers lure victims with images of women that can best be described as waifu material. And then once downloaded, the virus goes into action.

According to Kaspersky’s analysis, once the wallpaper is launched, it installs a backdoor and an executable file that acts as a “game” while also searching for Steam account credentials. Once the executable has what it needs, it sends the data to a server owned by the hacker. From there, they have full control over your account; They can change your password, steal your credit card information and download more infested wallpapers under your name. Oh, and they can also hide all your files behind ransomware and install cryptomining software if they want.

Kaspersky says the malware spreads in two ways. The first is the simplest: hackers draw from an archive of wallpapers compromised by EXE files, DLLs and malicious scripts. However, Kaspersky claims that some versions of the malware spread by turning victims into unwitting gofers. Basically, the target is tricked into accessing a protected archive containing the malware by entering their password. Although sometimes the hacker installs a script that does it for them, not all of us are tech literate enough to shoot ourselves in the foot.

Obviously, the best way to avoid this malware is to stay away from Steam Workshop’s Wallpaper Engine for the time being. If you really need a special wallpaper, use obscure Windows apps like WinDynamicDesktop or download Van Gogh-inspired wallpapers for your Mac. However, let’s assume that you downloaded these wallpapers before reading this article. You are not yet doomed.

Kaspersky data shows that while the delivery method is somewhat new, the malware itself relies on familiar faces within the cybersecurity community. These include programs such as DarkKomet, the Lumma and Vidar infostealers, and the RenEngine loader. Many existing antivirus suites (including Kaspersky’s own program, obviously) can locate and quarantine these viruses. Kaspersky recommends looking for the following detections:

• TIME: Rojan-PSW.Win32.gen

• TIME:Trojan-PSW.Win32.Python.gen

• TIME Backdoor.Win32.DarkKomet

• Trojan-Dropper.Python.Agent

• TIME: Trojan-Random.Win32.Gen.gen

• PDM: Trojan.Win32.Generic

If your anti-malware program detects any of these objects, assume that your computer has been compromised. Quarantine or remove viruses, then hire a good computer repair technician to clean your PC. Don’t forget to reset all your passwords and set up two-factor authentication while you’re at it. Just be patient and thorough, and everything should eventually return to normal.