Dozens of Malicious Wallpapers Found on Steam Workshop: Gamers Accounts at Risk

    Wednesday, June 17, 2026 In: Threat Research Print

    Date: 06/17/2026

    Severity: High

    Summary

    Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs. The campaign distributed threats such as DarkKomet backdoors, Lumma and Vidar infostealers, crypto miners, and other credential-stealing malware. Some infected wallpapers accumulated thousands of downloads before being removed. The malware primarily targeted Steam accounts, stealing credentials and session data. The incident highlights that content from trusted platforms can still be dangerous when it is capable of running executable code.

    Indicators of Compromise (IOC) List 

    Domain/URL:

    http://202.144.192.29

    http://202.144.192.29/audit.php

    http://202.144.192.29/download2/Themes2.zip

    http://120.48.156.17

    http://120.48.156.17/ey.php?ka=user1&id

    http://brightly.to

    http://brightly.to/download2/Themes2.zip

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://steamcommunity.com/sharedfiles/filedetails/?id=3603213159

    https://steamcommunity.com/sharedfiles/filedetails/?id=3591930233

    https://steamcommunity.com/sharedfiles/filedetails/?id=3584318845

    https://steamcommunity.com/sharedfiles/filedetails/?id=3436875036

    https://steamcommunity.com/sharedfiles/filedetails/?id=3633494498

    https://steamcommunity.com/sharedfiles/filedetails/?id=3556591375

    https://steamcommunity.com/sharedfiles/filedetails/?id=3635875825

    https://steamcommunity.com/sharedfiles/filedetails/?id=3601924072

    https://steamcommunity.com/sharedfiles/filedetails/?id=3605588743

    https://steamcommunity.com/sharedfiles/filedetails/?id=3553253793

    https://steamcommunity.com/sharedfiles/filedetails/?id=3462675635

    https://steamcommunity.com/sharedfiles/filedetails/?id=3605621824

    https://steamcommunity.com/sharedfiles/filedetails/?id=3610240788

    https://steamcommunity.com/sharedfiles/filedetails/?id=3610366547

    Hash:

    95856f2ce428c728d9781d3296558068

    af080780cca2acd1d082ce01e7cc346a

    c133c3dd9f7d6934598025047df41abf

    d1693bbff456ae8fa3360446706df6da

    8c2cc585ad8a13a72a704c0fda0c9854

    b9fa763a53da3eea742d0f3c845a8c09

    ded08ae5df7f1b12e5fdb767dbbed0b1

    20965254e29104986e11939decd39549

    18dedc0009f0927cba6425c84cce9883

    0f4f01c6d495abb37403072dd017ce8d

    5620f01284329f561b1839a36be55355

    fe1f6485013cd5e6d5cf718049b0b8d6

    74414ed4b63aadec039b603c32762b80

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3462675635" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3462675635" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3462675635" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3635875825" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3635875825" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3635875825" or domainname like "http://120.48.156.17" or url like "http://120.48.156.17" or siteurl like "http://120.48.156.17" or domainname like "http://120.48.156.17/ey.php?ka=user1&id" or url like "http://120.48.156.17/ey.php?ka=user1&id" or siteurl like "http://120.48.156.17/ey.php?ka=user1&id" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3601924072" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3601924072" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3601924072" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3591930233" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3591930233" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3591930233" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3436875036" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3436875036" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3436875036" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610240788" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610240788" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610240788" or domainname like "http://brightly.to" or url like "http://brightly.to" or siteurl like "http://brightly.to" or domainname like "http://202.144.192.29" or url like "http://202.144.192.29" or siteurl like "http://202.144.192.29" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3553253793" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3553253793" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3553253793" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3633494498" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3633494498" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3633494498" or domainname like "http://brightly.to/download2/Themes2.zip" or url like "http://brightly.to/download2/Themes2.zip" or siteurl like "http://brightly.to/download2/Themes2.zip" or domainname like "http://202.144.192.29/audit.php" or url like "http://202.144.192.29/audit.php" or siteurl like "http://202.144.192.29/audit.php" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610366547" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610366547" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3610366547" or domainname like "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download" or url like "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download" or siteurl like "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605621824" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605621824" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605621824" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3584318845" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3584318845" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3584318845" or domainname like "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" or url like "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" or siteurl like "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3556591375" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3556591375" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3556591375" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3603213159" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3603213159" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3603213159" or domainname like "http://202.144.192.29/download2/Themes2.zip" or url like "http://202.144.192.29/download2/Themes2.zip" or siteurl like "http://202.144.192.29/download2/Themes2.zip" or domainname like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605588743" or url like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605588743" or siteurl like "https://steamcommunity.com/sharedfiles/filedetails/?id=3605588743"

    Detection Query 2 :

    md5hash IN ("5620f01284329f561b1839a36be55355","af080780cca2acd1d082ce01e7cc346a","ded08ae5df7f1b12e5fdb767dbbed0b1","74414ed4b63aadec039b603c32762b80","c133c3dd9f7d6934598025047df41abf","8c2cc585ad8a13a72a704c0fda0c9854","b9fa763a53da3eea742d0f3c845a8c09","95856f2ce428c728d9781d3296558068","d1693bbff456ae8fa3360446706df6da","18dedc0009f0927cba6425c84cce9883","0f4f01c6d495abb37403072dd017ce8d","fe1f6485013cd5e6d5cf718049b0b8d6","20965254e29104986e11939decd39549")

    Reference:    

    https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/  


    Tags

    MalwareBackdoorStealerLumma StealerVidarCryptominingCredential HarvestingGambling

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.