top of page

WordPress Malware Hides C2 Instructions in Steam Profile Comments

  • Jun 2
  • 3 min read

Key Findings


  • New malware campaign discovered on approximately 1,980 WordPress sites using Steam Community profile comments to store encoded command-and-control instructions

  • Malware uses invisible Unicode characters hidden within visible Steam profile comments to deliver payloads, making detection difficult

  • Infected sites load external malicious JavaScript and contain a server-side backdoor capable of modifying PHP files for persistent access

  • Campaign first detected in July 2025 and uses legitimate-looking filenames and WordPress functions to evade detection

  • Attack combines visitor-facing code injection with administrator-level file modification capabilities, allowing attackers to survive partial cleanup attempts


Background


GoDaddy Security researchers identified this campaign while analyzing malware samples across their customer base. The discovery highlights an emerging trend where attackers abuse legitimate public platforms to host command infrastructure, bypassing traditional network defenses that flag obvious malicious servers. By leveraging Steam's trusted status and massive user base, attackers created a distribution method that appears benign to standard security monitoring.


Steam Comment Encoding Mechanism


The malware stores encoded instructions within Steam Community profile comments using six invisible Unicode characters that carry no visual representation: zero-width non-joiner, zero-width joiner, function application, invisible times, invisible separator, and invisible plus. To human eyes, the comments appear to be harmless ASCII art or casual messages.


The malware strips all visible text from the comment, then maps each invisible Unicode character to a number between 0 and 5. These numbers convert to binary, which reconstructs into executable bytes. A bitwise NOT operation completes the decoding process. Some variants add another layer of protection using AES-256-CTR encryption with PBKDF2 key derivation running 10,000 iterations, plus HMAC-SHA256 authentication.


Client-Side Injection


Once decoded, the malware constructs a URL pointing to hello-mywordl.info and loads a JavaScript file named lodash.core.min.js. This filename mimics a legitimate, widely used library, helping it blend into normal page traffic. The script injects into every WordPress frontend page through the wp_enqueue_scripts hook using the handle "asahi-jquery-min-bundle," another deliberately ordinary-sounding name.


Any administrator reviewing loaded scripts must look past convincingly named files to identify the malicious injection. The script executes on every page load, giving attackers continuous access to visitor data and browser environments.


Server-Side Backdoor


The more dangerous component is a persistent backdoor that listens on every WordPress page load for specific authentication cookies in POST requests. One cookie acts as a ping mechanism, returning an "OK" response with a version identifier to confirm the backdoor remains active.


A second cookie, tEcaKKXEsb, allows attackers to send base64-encoded PHP code through a POST parameter named new_code. The backdoor searches plugin and theme directories for a known marker string connected to the script injection function, then overwrites matching lines with attacker-supplied code. This capability lets operators update malware, change injected scripts, or restore removed code even after partial cleanup attempts.


Obfuscation Techniques


The malware employs multiple obfuscation layers to avoid detection. All string constants use octal or hexadecimal escape sequences, preventing text searches for indicators like "steamcommunity.com" or "https://". Function and variable names appear as random hex strings rather than descriptive identifiers.


The code includes non-functional logging systems with hardcoded disabled variables, creating the appearance of legitimate, carefully written software during quick reviews. Throughout the malware, attackers use standard WordPress API calls including add_action, wp_enqueue_script, get_transient, set_transient, file_get_contents, and file_put_contents. This reliance on familiar functions makes behavioral detection significantly harder because everything resembles normal plugin activity.


Initial Infection Vector


The research did not identify a single WordPress vulnerability responsible for initial infections. The most likely entry points include stolen WordPress admin credentials, compromised FTP or SFTP access, vulnerable plugins or themes, and supply chain compromises from third-party code repositories. These vectors remain common across the WordPress ecosystem.


Detection Indicators


Administrators should search plugin and theme files for references to steamcommunity.com, invisible Unicode character arrays such as U+200C, U+200D, and U+2061 through U+2064, and cryptographic functions like hash_pbkdf2 and openssl_decrypt with AES-256-CTR. Disabled SSL verification in cURL settings indicates suspicious activity.


Network monitoring should flag WordPress servers making unexpected outbound requests to Steam Community profiles and pages loading JavaScript from nonstandard domains. Log analysis should reveal suspicious WordPress transient cache entries using a transient_caption prefix, along with POST requests carrying the cookie names DEpjndDbNc or tEcaKKXEsb.


Significance


This campaign demonstrates how attackers can weaponize trusted public platforms to create resilient command infrastructure. The technique doesn't represent a new type of WordPress compromise, but it shows sophisticated operators rethinking how they communicate with infected sites. By hiding payloads in visible-to-human-eye comments while embedding binary instructions in invisible characters, attackers created an encoding scheme that survives casual inspection and complicates automated detection systems.


Sources


  • https://hackread.com/wordpress-malware-steam-profile-comments-instructions/

  • https://securityaffairs.com/192990/breaking-news/godaddy-found-malware-on-1980-wordpress-sites-using-steam-as-c2-infrastructure.html

  • https://x.com/HackRead/status/2061790115202998437

  • https://cybersecuritynews.com/wordpress-malware-abuses-steam/amp

  • https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles

  • https://www.reddit.com/r/pwnhub/comments/1tury4q/new_wordpress_malware_hides_command_instructions

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page