WordPress Malware Hides C2 Instructions in Steam Profile Comments
- Jun 2
- 3 min read
Key Findings
New malware campaign discovered on approximately 1,980 WordPress sites using Steam Community profile comments to store encoded command-and-control instructions
Malware uses invisible Unicode characters hidden within visible Steam profile comments to deliver payloads, making detection difficult
Infected sites load external malicious JavaScript and contain a server-side backdoor capable of modifying PHP files for persistent access
Campaign first detected in July 2025 and uses legitimate-looking filenames and WordPress functions to evade detection
Attack combines visitor-facing code injection with administrator-level file modification capabilities, allowing attackers to survive partial cleanup attempts
Background
GoDaddy Security researchers identified this campaign while analyzing malware samples across their customer base. The discovery highlights an emerging trend where attackers abuse legitimate public platforms to host command infrastructure, bypassing traditional network defenses that flag obvious malicious servers. By leveraging Steam's trusted status and massive user base, attackers created a distribution method that appears benign to standard security monitoring.
Steam Comment Encoding Mechanism
The malware stores encoded instructions within Steam Community profile comments using six invisible Unicode characters that carry no visual representation: zero-width non-joiner, zero-width joiner, function application, invisible times, invisible separator, and invisible plus. To human eyes, the comments appear to be harmless ASCII art or casual messages.
The malware strips all visible text from the comment, then maps each invisible Unicode character to a number between 0 and 5. These numbers convert to binary, which reconstructs into executable bytes. A bitwise NOT operation completes the decoding process. Some variants add another layer of protection using AES-256-CTR encryption with PBKDF2 key derivation running 10,000 iterations, plus HMAC-SHA256 authentication.
Client-Side Injection
Once decoded, the malware constructs a URL pointing to hello-mywordl.info and loads a JavaScript file named lodash.core.min.js. This filename mimics a legitimate, widely used library, helping it blend into normal page traffic. The script injects into every WordPress frontend page through the wp_enqueue_scripts hook using the handle "asahi-jquery-min-bundle," another deliberately ordinary-sounding name.
Any administrator reviewing loaded scripts must look past convincingly named files to identify the malicious injection. The script executes on every page load, giving attackers continuous access to visitor data and browser environments.
Server-Side Backdoor
The more dangerous component is a persistent backdoor that listens on every WordPress page load for specific authentication cookies in POST requests. One cookie acts as a ping mechanism, returning an "OK" response with a version identifier to confirm the backdoor remains active.
A second cookie, tEcaKKXEsb, allows attackers to send base64-encoded PHP code through a POST parameter named new_code. The backdoor searches plugin and theme directories for a known marker string connected to the script injection function, then overwrites matching lines with attacker-supplied code. This capability lets operators update malware, change injected scripts, or restore removed code even after partial cleanup attempts.
Obfuscation Techniques
The malware employs multiple obfuscation layers to avoid detection. All string constants use octal or hexadecimal escape sequences, preventing text searches for indicators like "steamcommunity.com" or "https://". Function and variable names appear as random hex strings rather than descriptive identifiers.
The code includes non-functional logging systems with hardcoded disabled variables, creating the appearance of legitimate, carefully written software during quick reviews. Throughout the malware, attackers use standard WordPress API calls including add_action, wp_enqueue_script, get_transient, set_transient, file_get_contents, and file_put_contents. This reliance on familiar functions makes behavioral detection significantly harder because everything resembles normal plugin activity.
Initial Infection Vector
The research did not identify a single WordPress vulnerability responsible for initial infections. The most likely entry points include stolen WordPress admin credentials, compromised FTP or SFTP access, vulnerable plugins or themes, and supply chain compromises from third-party code repositories. These vectors remain common across the WordPress ecosystem.
Detection Indicators
Administrators should search plugin and theme files for references to steamcommunity.com, invisible Unicode character arrays such as U+200C, U+200D, and U+2061 through U+2064, and cryptographic functions like hash_pbkdf2 and openssl_decrypt with AES-256-CTR. Disabled SSL verification in cURL settings indicates suspicious activity.
Network monitoring should flag WordPress servers making unexpected outbound requests to Steam Community profiles and pages loading JavaScript from nonstandard domains. Log analysis should reveal suspicious WordPress transient cache entries using a transient_caption prefix, along with POST requests carrying the cookie names DEpjndDbNc or tEcaKKXEsb.
Significance
This campaign demonstrates how attackers can weaponize trusted public platforms to create resilient command infrastructure. The technique doesn't represent a new type of WordPress compromise, but it shows sophisticated operators rethinking how they communicate with infected sites. By hiding payloads in visible-to-human-eye comments while embedding binary instructions in invisible characters, attackers created an encoding scheme that survives casual inspection and complicates automated detection systems.
Sources
https://hackread.com/wordpress-malware-steam-profile-comments-instructions/
https://securityaffairs.com/192990/breaking-news/godaddy-found-malware-on-1980-wordpress-sites-using-steam-as-c2-infrastructure.html
https://x.com/HackRead/status/2061790115202998437
https://cybersecuritynews.com/wordpress-malware-abuses-steam/amp
https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles
https://www.reddit.com/r/pwnhub/comments/1tury4q/new_wordpress_malware_hides_command_instructions

Comments