# [HIGH] Steam Workshop abused to spread malware via Wallpaper Engine app **Source:** BleepingComputer **Published:** 2026-06-16 **Article:** https://www.bleepingcomputer.com/news/security/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app/ ## Threat Profile Steam Workshop abused to spread malware via Wallpaper Engine app By Bill Toulas June 16, 2026 02:27 PM 0 Threat actors are abusing Steam Workshop, Valve's community hub for downloading game-related content, to push various malware hidden in wallpaper packages. Infected wallpapers can lead to hijacking Steam accounts, compromising the system with a backdoor, or running cryptomining processes. Steam Workshop is a built-in content-sharing platform on Valve's Steam gaming service where users can … ## Indicators of Compromise (high-fidelity only) - **IPv4 (defanged):** `120.48.156.17` - **IPv4 (defanged):** `202.144.192.29` - **Domain (defanged):** `brightly.to` - **MD5:** `95856f2ce428c728d9781d3296558068` - **MD5:** `af080780cca2acd1d082ce01e7cc346a` - **MD5:** `c133c3dd9f7d6934598025047df41abf` - **MD5:** `d1693bbff456ae8fa3360446706df6da` - **MD5:** `8c2cc585ad8a13a72a704c0fda0c9854` - **MD5:** `b9fa763a53da3eea742d0f3c845a8c09` - **MD5:** `ded08ae5df7f1b12e5fdb767dbbed0b1` - **MD5:** `20965254e29104986e11939decd39549` - **MD5:** `18dedc0009f0927cba6425c84cce9883` - **MD5:** `0f4f01c6d495abb37403072dd017ce8d` - **MD5:** `5620f01284329f561b1839a36be55355` - **MD5:** `fe1f6485013cd5e6d5cf718049b0b8d6` - **MD5:** `74414ed4b63aadec039b603c32762b80` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1486** — Data Encrypted for Impact - **T1003.001** — LSASS Memory - **T1003** — OS Credential Dumping - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1071** — Application Layer Protocol - **T1027** — Obfuscated Files or Information - **T1204.002** — User Execution: Malicious File - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain - **T1574.002** — Hijack Execution Flow: DLL Side-Loading - **T1036.005** — Masquerading: Match Legitimate Name or Location - **T1555** — Credentials from Password Stores - **T1083** — File and Directory Discovery - **T1071.001** — Application Layer Protocol: Web Protocols - **T1105** — Ingress Tool Transfer - **T1041** — Exfiltration Over C2 Channel - **T1027.002** — Software Packing ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Wallpaper Engine spawning unexpected child process from Steam Workshop content directory `UC_31_7` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_hash) as hashes values(Processes.user) as user from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("wallpaper32.exe","wallpaper64.exe") AND (Processes.process_path="*\\steamapps\\workshop\\content\\431960\\*" OR Processes.parent_process="*\\steamapps\\workshop\\content\\431960\\*") by Processes.dest Processes.process_name Processes.parent_process_name | `drop_dm_object_name(Processes)` | where process_name!="wallpaper32.exe" AND process_name!="wallpaper64.exe" ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("wallpaper32.exe","wallpaper64.exe") | where FolderPath has @"\steamapps\workshop\content\431960\" or InitiatingProcessCommandLine has @"\steamapps\workshop\content\431960\" | where FileName !in~ ("wallpaper32.exe","wallpaper64.exe","webwallpaper32.exe","webwallpaper64.exe","conhost.exe","WerFault.exe") | project Timestamp, DeviceName, AccountName, ParentImage=InitiatingProcessFolderPath, ParentCmd=InitiatingProcessCommandLine, ChildImage=FolderPath, ChildCmd=ProcessCommandLine, SHA256, MD5 | order by Timestamp desc ``` ### AggregatorHost.dll loaded from non-System32 path (Steam credential stealer sideload) `UC_31_8` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl `sysmon` EventCode=7 ImageLoaded="*\\AggregatorHost.dll" NOT (ImageLoaded="*\\Windows\\System32\\AggregatorHost.dll" OR ImageLoaded="*\\Windows\\SysWOW64\\AggregatorHost.dll" OR ImageLoaded="*\\Windows\\WinSxS\\*\\AggregatorHost.dll") | stats min(_time) as firstTime max(_time) as lastTime values(Image) as loading_process values(Hashes) as dll_hashes count by host ImageLoaded User ``` **Defender KQL:** ```kql DeviceImageLoadEvents | where Timestamp > ago(30d) | where FileName =~ "AggregatorHost.dll" | where FolderPath !startswith @"C:\Windows\System32\" and FolderPath !startswith @"C:\Windows\SysWOW64\" and FolderPath !startswith @"C:\Windows\WinSxS\" | project Timestamp, DeviceName, FolderPath, SHA256, MD5, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### Non-Steam process reading Steam sentry / loginusers credential files `UC_31_9` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.process_name) as process from datamodel=Endpoint.Filesystem where (Filesystem.file_name="loginusers.vdf" OR Filesystem.file_name="config.vdf" OR Filesystem.file_name="ssfn*") by Filesystem.dest Filesystem.process_name Filesystem.user | `drop_dm_object_name(Filesystem)` | where NOT match(process_name, "(?i)^(steam|steamservice|steamwebhelper|gameoverlayui|streaming_client)\.exe$") ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated","FileModified","FileRenamed") or FolderPath has @"\Steam\config\" | where FileName matches regex @"(?i)^(loginusers\.vdf|config\.vdf|ssfn[0-9]+)$" or FolderPath has @"\Steam\config\" | where InitiatingProcessFileName !in~ ("steam.exe","steamservice.exe","steamwebhelper.exe","gameoverlayui.exe","streaming_client.exe","steamerrorreporter.exe") | where InitiatingProcessFolderPath !has @"\Steam\" | project Timestamp, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName, SHA256 | order by Timestamp desc ``` ### Outbound connection to Steam Workshop wallpaper campaign C2 (202.144.192.29 / 120.48.156.17 / brightly.to) `UC_31_10` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as remote_ip values(All_Traffic.dest_port) as remote_port values(All_Traffic.app) as app from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_ip IN ("202.144.192.29","120.48.156.17") OR All_Traffic.dest="brightly.to" OR All_Traffic.dest="*.brightly.to" by All_Traffic.src All_Traffic.user All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` ``` **Defender KQL:** ```kql let C2_IPs = dynamic(["202.144.192.29","120.48.156.17"]); let C2_Domains = dynamic(["brightly.to"]); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteIP in (C2_IPs) or RemoteUrl has_any (C2_Domains) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentFileName, RemoteIP, RemotePort, RemoteUrl, Protocol | order by Timestamp desc ``` ### Known DarkKomet / Wallpaper-Engine campaign payload hash execution or write `UC_31_11` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl (| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_name) as process from datamodel=Endpoint.Processes where Processes.process_hash IN ("95856f2ce428c728d9781d3296558068","af080780cca2acd1d082ce01e7cc346a","c133c3dd9f7d6934598025047df41abf","d1693bbff456ae8fa3360446706df6da","8c2cc585ad8a13a72a704c0fda0c9854","b9fa763a53da3eea742d0f3c845a8c09","ded08ae5df7f1b12e5fdb767dbbed0b1","20965254e29104986e11939decd39549","18dedc0009f0927cba6425c84cce9883","0f4f01c6d495abb37403072dd017ce8d","5620f01284329f561b1839a36be55355","fe1f6485013cd5e6d5cf718049b0b8d6","74414ed4b63aadec039b603c32762b80") by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)`) ``` **Defender KQL:** ```kql let BadMD5 = dynamic(["95856f2ce428c728d9781d3296558068","af080780cca2acd1d082ce01e7cc346a","c133c3dd9f7d6934598025047df41abf","d1693bbff456ae8fa3360446706df6da","8c2cc585ad8a13a72a704c0fda0c9854","b9fa763a53da3eea742d0f3c845a8c09","ded08ae5df7f1b12e5fdb767dbbed0b1","20965254e29104986e11939decd39549","18dedc0009f0927cba6425c84cce9883","0f4f01c6d495abb37403072dd017ce8d","5620f01284329f561b1839a36be55355","fe1f6485013cd5e6d5cf718049b0b8d6","74414ed4b63aadec039b603c32762b80"]); union isfuzzy=true (DeviceProcessEvents | where Timestamp > ago(90d) | where MD5 in (BadMD5) or InitiatingProcessMD5 in (BadMD5) | project Timestamp, DeviceName, AccountName, Source="Process", FileName, FolderPath, ProcessCommandLine, MD5, SHA256, InitiatingProcessFileName, InitiatingProcessFolderPath), (DeviceFileEvents | where Timestamp > ago(90d) | where MD5 in (BadMD5) | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, Source="FileWrite", FileName, FolderPath, ProcessCommandLine=InitiatingProcessCommandLine, MD5, SHA256, InitiatingProcessFileName, InitiatingProcessFolderPath), (DeviceImageLoadEvents | where Timestamp > ago(90d) | where MD5 in (BadMD5) | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, Source="DllLoad", FileName, FolderPath, ProcessCommandLine=InitiatingProcessCommandLine, MD5, SHA256, InitiatingProcessFileName, InitiatingProcessFolderPath=InitiatingProcessFolderPath) | order by Timestamp desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Ransomware-style mass file rename / extension change `UC_RANSOM_ENCRYPT` · phase: **actions** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Filesystem.file_name) AS files from datamodel=Endpoint.Filesystem where Filesystem.action IN ("modified","renamed") by Filesystem.dest, Filesystem.user, _time span=1m | `drop_dm_object_name(Filesystem)` | where files > 200 | sort - files ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(1d) | where InitiatingProcessAccountName !endswith "$" | where ActionType in ("FileRenamed","FileModified") | summarize files = dcount(FileName) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1m) | where files > 200 // empirical: > 200 unique-file renames in 1m by one account on one host // is well above the P99 of legitimate bulk-tooling | order by files desc ``` ### LSASS process access / dump (credential theft) `UC_LSASS` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*lsass*" OR Processes.process="*sekurlsa*" OR Processes.process="*MiniDump*" OR Processes.process="*comsvcs.dll*MiniDump*" OR Processes.process="*procdump*lsass*") OR (Processes.process_name="rundll32.exe" AND Processes.process="*comsvcs*MiniDump*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where ActionType == "OpenProcessApiCall" | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("MsSense.exe","MsMpEng.exe","csrss.exe", "svchost.exe","wininit.exe","services.exe", "lsm.exe","SearchProtocolHost.exe") | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, AccountName | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### Article-specific behavioural hunt — Steam Workshop abused to spread malware via Wallpaper Engine app `UC_31_6` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Steam Workshop abused to spread malware via Wallpaper Engine app ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("aggregatorhost.dll")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("aggregatorhost.dll")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Steam Workshop abused to spread malware via Wallpaper Engine app // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("aggregatorhost.dll")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("aggregatorhost.dll")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `120.48.156.17`, `202.144.192.29`, `brightly.to` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `95856f2ce428c728d9781d3296558068`, `af080780cca2acd1d082ce01e7cc346a`, `c133c3dd9f7d6934598025047df41abf`, `d1693bbff456ae8fa3360446706df6da`, `8c2cc585ad8a13a72a704c0fda0c9854`, `b9fa763a53da3eea742d0f3c845a8c09`, `ded08ae5df7f1b12e5fdb767dbbed0b1`, `20965254e29104986e11939decd39549` _(+5 more)_ ## Why this matters Severity classified as **HIGH** based on: IOCs present, 12 use case(s) fired, 19 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.