Vidar

Threat actors are abusing Steam Workshop, Valve's community hub for downloading game-related content, to push various malware hidden in wallpaper packages... specifically through the Wallpaper Engine application, to distribute malware.

One campaign advertised a fictitious “Awesome AI Windows Plugin” on free movie streaming sites. These malicious ads redirect victims to signed malware executables.

Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs.

PowerShell command lines for downloading the malicious payload.

Researchers discovered dozens of malicious wallpapers on Steam Workshop that abused Wallpaper Engine's Application Wallpaper feature to execute malware on users' PCs.

The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.

With a handle to the forked process in hand, Vidar proceeds to enumerate its virtual memory regions using NtQueryVirtualMemory ... Each thread scans its assigned regions using NtReadVirtualMemory , searching for a 32-byte pattern. | In both cases, the APC routine to be executed is CryptUnprotectMemory , called with the following three arguments: the address of the encrypted v20_master_key candidate, its size (32 bytes), and CRYPTPROTECTMEMORY_SAME_PROCESS for the flags parameter.

Vidar solves this by injecting an Asynchronous Procedure Call (APC) into the live browser process... it creates a suspended thread in the target browser via CreateRemoteThread ... queues an APC using NtQueueApcThread ... If neither product is detected, it uses the “special” method ... and calls NtQueueApcThreadEx2 with the QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC flag.

Obfuscation and encryption for the injected ErrTraffic script (using AES and JavaScript obfuscation).

These malicious wallpapers, disguised as legitimate user-generated content, can lead to Steam account hijacking, system compromise with backdoors, or cryptomining operations.

With a handle to the forked process in hand, Vidar proceeds to enumerate its virtual memory regions using NtQueryVirtualMemory ... Each thread scans its assigned regions using NtReadVirtualMemory , searching for a 32-byte pattern. | In both cases, the APC routine to be executed is CryptUnprotectMemory , called with the following three arguments: the address of the encrypted v20_master_key candidate, its size (32 bytes), and CRYPTPROTECTMEMORY_SAME_PROCESS for the flags parameter.

Vidar solves this by injecting an Asynchronous Procedure Call (APC) into the live browser process... it creates a suspended thread in the target browser via CreateRemoteThread ... queues an APC using NtQueueApcThread ... If neither product is detected, it uses the “special” method ... and calls NtQueueApcThreadEx2 with the QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC flag.

The loader simply reconstructs its payload and runs it in memory, so “it never touches the disk.”

When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server.

These logs can hold credentials and tokens present on the compromised device, including corporate VPN, email, cloud, and SSO accounts... attackers authenticate with legitimate credentials, even bypassing MFA if they have a session cookie.

When successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server.

Since modern browsers use a multi-process architecture, there are typically multiple processes matching a given browser. Vidar enumerates all of them (up to 64) and applies the fork-and-scan procedure to each one independently. | it finds an existing thread in the target browser using a combination of CreateToolhelp32Snapshot and Thread32First/Thread32Next , opens it via NtOpenThread , and calls NtQueueApcThreadEx2

In short, the end goal of infostealers is to obtain the v20_master_key , as it alone is sufficient for decrypting any ABE-protected data tied to a specific application.

These are packaged into logs and sold, validated by intermediaries, and eventually monetized as enterprise access

Again that’s it! The data is ready to be forwarded to the cybercriminals.

ErrTraffic v3, documented by LevelBlue in April 2026, uses the EtherHiding technique as DDR. The injected script on compromised WordPress sites queries a smart contract on a blockchain to retrieve the ErrTraffic C2 server.

Additionally, it has an optional loader functionality that can be used to retrieve additional payloads such as infostealers, remote access trojans (RATs) and ransomware... In one case, XTinyLoader was installed, which subsequently downloaded LockBit Black ransomware.

The story we are writing here will try to explain how, from a simple mistake made by an operator, we managed to collect and exploit a lot of precious information from a “Fast Flux” network called BraZZZerS Fast Flux between end of 2018 and 2022.