Steam Malware Campaign, Splunk Exploit, and NGINX Flaws Highlight a Busy Week in Cybersecurity

Cybersecurity researchers disclosed multiple significant threats this week, including a year-long malware campaign on Steam that infected tens of thousands of users, active exploitation of a critical Splunk Enterprise vulnerability, and patches for two critical remote code execution flaws in NGINX Open Source. Separately, a massive Android botnet was linked to a publicly traded Israeli firm, and a new North Korean fake IT worker scam network was uncovered.

According to Kaspersky, the Steam campaign abused Wallpaper Engine's "Application Wallpaper" feature, which allows unverified third-party code to run as standalone Windows programs. The attackers distributed malicious wallpapers that, once applied, stole account credentials and hijacked active sessions, with 89% of compromised downloads targeting users in China.

Steam Malware Campaign Details

The attackers used two primary distribution methods: archives containing the executable wallpaper alongside malicious payloads such as .exe files, DLLs, or scripts, and password-protected archives that executed automatically when the wallpaper was applied. One tested wallpaper, containing a malicious game called NTRaholic, dropped a backdoor named Synaptics.exe from the DarkKomet malware family. The campaign also used compromised accounts to upload additional malicious wallpapers to Steam Workshop.

• Dozens of malicious application wallpapers were found on Steam Workshop, some downloaded tens of thousands of times.
• Affected countries beyond China include Germany, Canada, Russia, Singapore, Hong Kong, Vietnam, and India.
• Steam has removed all identified malicious wallpapers, but Kaspersky urges users to run antivirus scans before applying wallpapers with built-in executables.

Splunk and NGINX Vulnerabilities Under Attack

Separately, a critical vulnerability in Splunk Enterprise is now being actively exploited. The flaw involves a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing attackers to access sensitive data. Meanwhile, F5 released patches for two critical NGINX Open Source flaws, CVE-2026-42530 (CVSS v4 score 9.2) and another unnamed vulnerability, both enabling remote code execution. The use-after-free flaw in the ngx_http_v3_module can be triggered by a remote unauthenticated attacker.

In other news, researchers linked the Popa botnet, a four-year-old Android-based botnet that has infected millions of consumer TV boxes, to NetNut, a residential proxy provider operated by the publicly traded Israeli firm Alarum Technologies Ltd (NASDAQ: ALAR). The botnet has been used for advertising fraud, account takeovers, and mass data scraping. Additionally, security firm Nisos uncovered a major North Korean fake IT worker scam network, highlighting the ongoing threat of state-sponsored cybercrime.

Organizations are advised to apply patches for Splunk Enterprise and NGINX Open Source immediately, and Steam users should scan their systems for malware. The breadth of these attacks underscores the need for continuous vigilance across all platforms.