Skip to content
[email protected]
File security for Windows systems — since 2003

How FileSure Would Have Stopped the Steam Workshop Malware Campaign

• By Gene Allen

What Happened

Threat actors turned Steam Workshop into a malware distribution platform. They uploaded malicious wallpapers to Wallpaper Engine — a popular desktop customization app with nearly a million Steam reviews — and tricked users into installing them. Kaspersky found dozens of these malicious wallpapers, each downloaded thousands or tens of thousands of times.

The wallpapers looked legitimate. One posed as a game called NTRaholic. It launched as expected when the user installed it, reducing suspicion. But in the background, it dropped a DarkKomet backdoor and a modified system library that hunted for Steam credentials.

Kaspersky identified multiple malware families delivered this way: Lumma and Vidar infostealers, cryptocurrency miners, botnet loaders, RanEngine, and ransomware. Multiple threat actors were exploiting the same vector. Steam removed the malicious wallpapers Kaspersky reported, but researchers warn that new ones are likely already uploaded.

The recommended defense? Scan everything you download from Steam Workshop with an up-to-date antivirus product.

That’s the same advice we’ve been giving for twenty years. And it’s still missing the point.

Why Signature-Based Detection Keeps Failing

Antivirus works by recognizing threats it has already seen. A researcher finds a new malware variant, analyzes it, creates a signature, pushes an update, and your antivirus learns to block it. That process takes time — hours or days. The window between a new malware release and when your antivirus can detect it is exactly when attacks happen.

And that’s assuming the malware isn’t obfuscated or packed in a way that defeats signature matching. Password-protected archives — mentioned in Kaspersky’s report as one delivery method — bypass most antivirus scanning entirely.

But here’s what every one of these infections has in common: the malware had to write an executable file to the Windows file system before it could run. The DarkKomet backdoor, the infostealers, the cryptominers, the ransomware — all of it required a file write operation to land the payload on disk.

That’s the intervention point. Not after the malware executes. Not after it starts encrypting files or stealing credentials. Before it ever lands.

How FileSure Stops It at the File System Layer

FileSure Defend operates at the Windows kernel level via a filter driver. It intercepts every file operation — open, read, write, delete, create, rename — before it completes. You define rules that control which programs can perform which operations on which file types.

For this attack, the rule is simple:

File name filter: *.exe;*.dll;*.bat;*.cmd;*.ps1;*.vbs;*.wsh
Program name filter: Exclude your software deployment tools and self-updating applications; block everything else
Operations: Write, Create
Drive type: Hard drives
Result: Wallpaper Engine — or any other non-whitelisted application — cannot write executable files to the hard drive.

When the malicious wallpaper tries to drop its payload, FileSure intercepts the write operation at the kernel level and blocks it. The file never lands on disk. The malware never executes. Your system stays clean.

This works on malware variants that were released this morning. It works on obfuscated payloads. It works on threats your antivirus has never seen. It doesn’t rely on recognizing the malware — it just controls what programs are allowed to do to your file system.

And it works offline. If you’re disconnected from your management server or your antivirus signature updates are delayed, FileSure still enforces the rules. The protection is local and immediate.

Stop Playing Whack-a-Mole

Steam Workshop is just one vector. Tomorrow it’ll be a browser extension, a productivity app plugin, or a file downloaded from a “trusted” source. The delivery mechanism changes. The fundamental requirement doesn’t: the malware has to write files to disk before it can run.

Control the file operations. Stop the infection before it starts.

Try FileSure free for 21 days at bystorm.com — install it, run our test file that mimics ransomware behavior, and watch it get blocked in real time.

Source: Steam Workshop abused to spread malware via Wallpaper Engine app

Category: Threat Intelligence

Tags: steam workshop, wallpaper engine, darkkomet, lumma stealer, vidar stealer, malware delivery, kernel filter driver, file system security

Gene Allen

Written by

Gene Allen

Gene Allen is a Windows file security expert with over 20 years of experience developing kernel-level solutions that protect enterprise data from ransomware, unauthorized access, and data loss. As founder of ByStorm Software, he architected FileSure — a patented file auditing and security platform trusted by 200+ organizations across healthcare, financial services, and government. Gene holds two U.S. patents in file system security and access control.

Ready to protect your organization?

Start your free 21-day trial today. No credit card required.

Start Your Free 21-Day Trial