New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions

Summary

GoDaddy Security discovered a WordPress malware campaign that hides command-and-control instructions in Steam Community profile comments using invisible Unicode characters. The malware, affecting nearly 1,980 WordPress sites since July 2025, injects external JavaScript into infected sites and maintains a PHP backdoor for persistent access and code execution. The steganographic technique leverages Steam's trusted platform to avoid detection while giving attackers both visitor-facing reach and ongoing control over infected WordPress installations.

Full text

Security MalwareNew WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions GoDaddy researchers found WordPress malware using Steam Community profile comments to hide encoded command and control data, with nearly 1,980 sites affected. byWaqasJune 2, 20264 minute read A new WordPress malware campaign has been found using an unusual hiding place for its command instructions: Steam Community profile comments. According to research published by GoDaddy Security, the malware stores encoded data inside comments on Steam profiles, then uses infected WordPress sites to fetch and decode that data during normal page activity. The method allows attackers to place command-and-control data on a trusted public platform without hosting an obvious malicious server. GoDaddy said the campaign was first detected in July 2025 and has been seen on about 1,980 WordPress sites. The affected sites load external JavaScript for visitors and also contain a backdoor that can modify PHP files on the site. According to GoDaddy’s technical blog post, once planted, the malware can pull hidden instructions from Steam, inject a remote script into public pages, and keep a server side access path available for future changes. That combination gives the operator both visitor facing reach and ongoing control over infected WordPress files. The Steam side of the operation works through profile comments that appear harmless to the general public. However, GoDaddy’s analysis found that the malware extracts content from Steam’s commentthread_comment_text section, then looks for invisible Unicode characters hidden among visible text. Those invisible characters carry the real payload. The process is easier to understand when stripped of the code. The Steam comment shows ordinary text to anyone viewing it, but hidden characters inside the comment carry the real instructions. The malware reads those hidden characters, turns them back into usable commands, and can also unlock them with built in encryption before using them. A Steam profile comment made to look like harmless ASCII art, while hidden characters inside it carry malware instructions. (Image credit: GoDaddy) Once decoded, the malware uses the result to build a URL and load an outside JavaScript file on WordPress pages. In the sample analyzed by GoDaddy, the script was loaded through WordPress’s wp_enqueue_script function using the handle asahi-jquery-min-bundle. The observed external script path used the domain hello-mywordl.info and a filename made to resemble a common JavaScript library, lodash.core.min.js. GoDaddy also found a cookie-authenticated backdoor that listens for POST requests. One cookie acts as a ping mechanism, returning an “OK” response and a version value. Another cookie allows the attacker to send base64 encoded PHP code through a POST parameter named new_code. That second function is the more serious piece. The backdoor searches plugin and theme directories for a known marker string connected to the script injection function, then replaces the matching line with attacker supplied code. In practical terms, the operator can update the malware, change the injected script, or restore removed code if a cleanup misses part of the infection. The malware is also written to avoid easy spotting. GoDaddy noted that strings are hidden with hexadecimal and octal escapes, while function names use random looking mixed case identifiers. It also uses normal WordPress functions, including add_action, wp_enqueue_script, get_transient, set_transient, file_get_contents, and file_put_contents. The use of familiar APIs can make the code look less suspicious during a quick review. GoDaddy researchers found one sample of the malware inside a child theme file, but the code is not limited to that location and could be planted in other WordPress PHP files. The company did not link the infections to one specific WordPress flaw. The more likely path, based on the findings, is that attackers first gained access through stolen admin logins, exposed FTP or SFTP accounts, vulnerable plugins or themes, or compromised third party code. Administrators checking for this malware should look for references to steamcommunity.com inside plugin and theme files, invisible Unicode character arrays such as U+200C, U+200D, and U+2061 through U+2064, and use of cryptographic functions such as hash_pbkdf2 and openssl_decrypt with AES 256 CTR. Disabled SSL verification in cURL settings is another warning sign. Network logs may also help. WordPress servers making unexpected outbound requests to Steam Community profiles should be reviewed, as should pages loading JavaScript from nonstandard domains. GoDaddy also noted suspicious WordPress transient cache entries using a transient_caption prefix, along with POST requests carrying the cookie names DEpjndDbNc or tEcaKKXEsb. This campaign is notable because it turns a public gaming profile into a storage point for hidden malware instructions. The technique does not make WordPress compromise new, but it does show how attackers can use legitimate platforms to make malicious traffic harder to judge at first sight. Malware and Comments This is not the first case of attackers abusing comment sections to hide malware instructions. In June 2017, Russian hackers were reported to have used posts on Britney Spears’ official Instagram account to control malware, showing how public platforms can be misused as covert communication channels. Screenshot of the picture where malware infected link was posted / Image Source: Instagram (https://www.instagram.com/p/BO8gU41A45g/) This pattern has appeared in other campaigns, too. In March 2018, attackers used YouTube comments to distribute password-stealing malware. In April 2024, scammers abused GitHub comments to post links disguised as Microsoft software downloads, tricking users into installing malware. Expert Insights: “The extensive use of obfuscation and steganographic techniques shows a clear desire by threat actors to cover their tracks and maintain access to infected sites,” said William Wright, CEO of Closed Door Security. “The use of public Steam content in lieu of traditional command-and-control infrastructure is likely part of this effort, allowing the platform to act as a cheap alternative to overt hosting infrastructure.” “Because the malware can maintain persistence inside servers, infected sites need to be restored from known clean backups. Site admins should be wary of outbound connections to unexpected domains, even if they are legitimate,” warned Wright Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts backdoorCyber AttackCybersecurityFraudGoDaddyMalwareScamSteamWordpress Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Microsoft Legacy Login in Microsoft Entra ID Exploited to Breach Cloud Accounts A flaw in Microsoft Entra ID’s legacy login allowed attackers to bypass MFA, targeting admin accounts across finance,… byDeeba Ahmed Read More Security Apple Malware New XCSSET Malware Variant Targeting macOS Notes App and Wallets Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections… byWaqas Security Privacy Technology HSBC voice recognition security system spoofed by BBC A BBC Click reporter, Dan Simmons, reported that his non-identical twin brother was able to access his bank… byJahanzaib Hassan Security Leaks “World’s most secure online backup” provider exposes 135M records “The World’s Most Secure Online Backup” cloud service. leaks secure backup - Oh, the irony. byWaqas

Indicators of Compromise

• domain — hello-mywordl.info
• malware — WordPress malware using Steam comments for C2

Entities