WordPress Malware Campaign Uses Steam Profiles to Conceal Command-and-Control Data

Nearly 2,000 WordPress websites have been compromised in a sophisticated malware campaign that exploits Valve's Steam Community platform to hide command-and-control infrastructure, according to security researchers at GoDaddy.

Since the campaign was first uncovered in July 2025, GoDaddy engineers have identified malware on approximately 1,980 WordPress websites. The method is notable for its evasion technique: rather than maintaining a dedicated C2 server, the threat actor embeds encoded payloads directly inside Steam Community profile comments.

The comments appear benign to the naked eye, but they contain invisible Unicode characters that conceal malicious instructions. The six characters used — Zero-width non-joiner (U+200C), Zero-width joiner (U+200D), Function application (U+2061), Invisible times (U+2062), Invisible separator (U+2063), and Invisible plus (U+2064) — are mapped to corresponding numbers, converted to binary, and reassembled into a functional payload.

"This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload," GoDaddy said in its report.

Once a compromised WordPress site loads a page, the first-stage malware reaches out to designated Steam profiles and extracts that hidden text. The decoded payload then constructs a URL pointing to hello-mywordl[.]info, from which JavaScript code is pulled and injected into every frontend page of the infected site.

That JavaScript is disguised using file names commonly associated with legitimate libraries — including asahi-jquery-min-bundle and lodash.core.min.js — to blend in with normal web traffic. The final stage installs a backdoor that responds to specially crafted POST requests carrying a specific authentication cookie.

"If the tEcaKKXEsb cookie is present, the backdoor accepts base64-encoded PHP code via POST parameter," the researchers explained.

The malware employs additional evasion techniques, including obfuscated strings using octal and hex escapes, randomized function names, and fake disabled logging code. It also leverages standard WordPress APIs, making its activity harder to distinguish from routine site operations.

The initial infection vector remains unclear. GoDaddy researchers assess that attackers likely gained entry through stolen administrator credentials, compromised FTP or SFTP access, exploitation of a vulnerable WordPress theme or plugin, or a supply-chain compromise.

By routing C2 communications through Steam — a platform trusted by millions of users and rarely flagged by security tools — the attacker sidesteps the need to register or maintain separate infrastructure, reinforcing a broader trend of threat actors abusing legitimate third-party platforms to evade detection.

Site administrators can look for several indicators of compromise, including references to Steam Community URLs in site code, unexpected JavaScript injections from external domains, outbound connections from WordPress servers to Steam, and POST requests containing the malware's authentication cookies or a new_code parameter. Invisible Unicode characters and suspicious _transient_caption_ cache entries are also red flags.

GoDaddy recommends that affected site owners restore from a clean backup predating the infection. For those without a usable backup, researchers caution that manual removal must be thorough, noting that "attackers can reinstall removed code through the backdoor if any component remains active."