Kaspersky: Anime wallpaper packs on Steam Workshop dropped the DarkKomet backdoor

Kaspersky is warning that “anime girl” wallpaper packs on Steam Workshop are being used to deliver real malware. The security firm says infected Wallpaper Engine wallpapers were downloaded thousands of times through Steam, and that at least one malicious sample discovered in December 2025 initially appeared legitimate, even launching an embedded desktop game without visible compromise.

The trap, Kaspersky says, was the “application-based wallpaper” feature. According to Kaspersky, this feature allows executable programs to run directly on a user’s Windows computer, giving attackers a way to distribute malicious software under the guise of legitimate content. In the December 2025 sample, Kaspersky says the wallpaper deployed the DarkKomet backdoor and installed a modified library targeting Steam users, harvesting account information and hijacking active Steam sessions.

This is not the typical “download a shady file from a random corner of the internet” story. It is closer to an ecosystem risk story, where trust is delegated. Wallpaper Engine is a widely used platform for desktop customization, and Steam Workshop is a place where users expect creative content sharing. That expectation is exactly what makes the attack method so effective: malicious actors can ride existing distribution and discovery mechanics. Kaspersky’s guidance essentially reframes the threat model from “malware lives in downloads” to “malware can live in content that is designed to run on your device.”

Kaspersky also lays out two delivery tactics for getting the malicious payload onto the machine. One route involves bundling malicious executables inside the wallpaper package. Another route, Kaspersky says, involves hiding malware inside password-protected archives, with passwords embedded in archive names or configuration files. Both methods are aimed at bypassing the intuitive safety heuristics users apply when they see “a wallpaper pack,” not “an executable installer.” And once installed, Kaspersky says the application-based wallpaper automatically triggers the malicious payload inside.

The “who got hit” details matter for executives thinking about incident response and customer risk, even if you are not in the wallpaper business. Kaspersky says Steam users in China and Russia appeared to be the primary targets, though users in Singapore, Hong Kong, Germany, Vietnam, India, and Canada have also been affected. Kaspersky also says the campaign does not appear coordinated and seems to be the work of multiple independent threat actors. That last point is a board-level clue: if many actors can reuse the same platform feature and packaging pattern, the fix needs to be systemic, not just “remove one bad uploader.”

To understand the second-order implications, it helps to look at how these distribution channels generally work. Platforms that support user-generated content often optimize for frictionless creation and playback. Wallpaper Engine’s support for animated and interactive desktop scenes is a feature users want, and it is also the lever attackers exploit because it can execute programs. That creates a recurring tension for product and security teams: the more a platform can safely “run” third-party content, the more it must isolate it, validate it, and detect abuse without breaking the user experience.

There is also a regulatory and compliance angle, even for companies that are not directly regulated for cyber hygiene. In many jurisdictions, organizations that host or enable software execution have to be able to demonstrate reasonable steps to manage cyber risk, including protecting user accounts and preventing misuse. Kaspersky’s claim that the malware could harvest account information and hijack active Steam sessions is the kind of outcome regulators care about because it moves from device harm to identity and session compromise. That distinction affects how incidents are communicated, how liability is assessed, and how security posture is audited.

For leaders watching this, the strategic stake is straightforward: if a feature allows executables to run as part of “content,” you have a new class of supply-chain threat. Kaspersky’s warning shows how quickly “creative customization” can become a distribution vector for backdoors like DarkKomet. Boards and executives should treat this as a platform safety stress test, not a niche weeb problem: what matters is whether your ecosystem boundaries assume the benign nature of what runs on users’ machines. Today it is wallpaper packs. Tomorrow it could be any feature that turns user content into code execution, and the cost of being wrong is measured in stolen sessions and compromised accounts.