WordPress malware hides C2 commands in Steam profile comments

Aisha Nakamura
By
Aisha Nakamura
Tech writer at All Things Geek. Covers gaming, consoles, and interactive entertainment.
9 Min Read
WordPress malware hides C2 commands in Steam profile comments

A WordPress malware campaign discovered by GoDaddy Security researchers in July 2025 exploits Steam Community profile comments as a hidden command-and-control network, turning a legitimate gaming platform into infrastructure for coordinating attacks on nearly 2,000 WordPress websites.

Key Takeaways

  • GoDaddy identified malware on approximately 1,980 WordPress sites using Steam profiles for C2 relay
  • Invisible Unicode characters embedded in normal-looking Steam comments conceal encoded payloads
  • The malware injects JavaScript into WordPress frontends and deploys server-side backdoors for remote access
  • Six specific invisible Unicode characters encode the payload: zero-width non-joiner, zero-width joiner, function application, invisible times, invisible separator, and invisible plus
  • Attackers avoid maintaining obvious malicious infrastructure by leveraging Valve’s trusted platform as storage

How the WordPress malware campaign works

The WordPress malware campaign operates through two distinct infection chains: a client-side JavaScript injection path and a server-side backdoor that grants persistent access. On the client side, the malware fetches Steam Community profile pages using cURL, extracts content from the `commentthread_comment_text` section, and decodes hidden payloads using Unicode steganography. The decoded payload constructs a URL pointing to `hello-mywordl[.]info` that serves malicious JavaScript injected into every WordPress frontend page using the `asahi-jquery-min-bundle` handle.

The server-side component establishes a cookie-authenticated backdoor that persists across WordPress installations, allowing attackers to modify PHP files across plugins and themes without additional authentication. This dual-layer approach means even if WordPress administrators patch the initial infection vector, the backdoor remains active and ready for further exploitation. The malware uses obfuscated strings, randomized function names, and fake disabled logging code to blend with normal WordPress activity, making detection through standard security audits significantly harder.

Unicode steganography masks the C2 instructions

The technical innovation behind this WordPress malware campaign lies in its encoding mechanism: six invisible Unicode characters replace visible text to hide command-and-control data in plain sight. The zero-width non-joiner (U+200C), zero-width joiner (U+200D), function application (U+2061), invisible times (U+2062), invisible separator (U+2063), and invisible plus (U+2064) are embedded within seemingly normal Steam profile comments. A reader viewing the comment sees only legitimate text, but the malware’s decoder ignores visible characters entirely, mapping the invisible characters to numbers, converting them to binary, and reconstructing bytes from the binary stream.

Once decoded, the payload is optionally encrypted using AES-256-CTR with PBKDF2 key derivation and HMAC authentication, adding a second layer of obfuscation. This approach is particularly effective because it exploits the trust placed in Valve’s platform—security teams rarely flag Steam Community as a malware vector, and the legitimate traffic to Steam’s servers masks the actual C2 communications. Attackers update instructions by simply posting new encoded comments, eliminating the need to maintain separate command servers that could be tracked, blocked, or seized by law enforcement.

Infection vectors remain unclear, but patterns suggest multiple entry points

GoDaddy researchers did not identify a single definitive initial-access vector for this WordPress malware campaign, instead listing several plausible entry methods. Stolen administrator credentials, exposed FTP or SFTP accounts, vulnerable plugins or themes, and compromised third-party code all represent likely pathways that attackers could exploit to plant the malware. This uncertainty reflects the reality of WordPress security: the platform’s popularity and extensibility create numerous potential weak points, and different victims may have been compromised through entirely different methods.

The lack of a single identified vector complicates remediation advice. Organizations cannot assume they were hit through a specific vulnerability in a particular plugin or theme. Instead, comprehensive response requires auditing access logs, reviewing file modifications, checking for unauthorized admin accounts, and scanning all installed plugins and themes for backdoors or injected code. The presence of a server-side backdoor means that simply removing the initial infection vector—patching a vulnerable plugin, for example—will not eliminate the threat if the backdoor remains in place.

Why Steam Community became an attractive C2 platform

The WordPress malware campaign’s use of Steam Community profiles represents a clever abuse of trust and infrastructure. Valve’s platform receives legitimate traffic from millions of users daily, making it nearly impossible to block without disrupting gaming services. Comments on public profiles are stored indefinitely unless explicitly deleted, providing persistent storage for C2 instructions. Most importantly, security teams and automated threat detection systems rarely flag Steam as a malware vector because the platform is primarily associated with gaming rather than cybercrime.

This pattern mirrors earlier malware families like LummaC2 and CastleRAT, which have also exploited Steam as a dead-drop or C2 relay. However, the WordPress malware campaign’s integration of Unicode steganography, AES encryption, and WordPress-specific injection techniques represents a more sophisticated evolution. Rather than simply posting readable commands in comments, attackers hide payloads within the invisible Unicode layer, making detection exponentially harder for both automated scanners and human reviewers.

What WordPress site owners should do now

Immediate action for affected WordPress installations begins with identifying whether the malware is present. Site administrators should search WordPress database tables and file systems for references to `hello-mywordl[.]info` or the `asahi-jquery-min-bundle` handle. Any PHP files with recent modification timestamps, particularly in plugin and theme directories, warrant close inspection. GoDaddy’s research provides specific indicators: look for JavaScript injection using `wp_enqueue_script()` with suspicious handles, and audit user accounts for unauthorized administrators added after the initial compromise.

Remediation requires more than removing infected files. The server-side backdoor must be eliminated to prevent re-infection, which means changing all WordPress admin passwords, reviewing database users and permissions, and potentially restoring from a clean backup if the malware is deeply embedded. For future protection, implement regular security audits, keep all plugins and themes updated, restrict admin access to known IP addresses, and deploy Web Application Firewall (WAF) rules to block known malicious domains. Two-factor authentication on all admin accounts significantly reduces the risk of credential-based initial compromise.

Is this WordPress malware campaign still active?

The WordPress malware campaign was first detected in July 2025, and GoDaddy identified approximately 1,980 infected WordPress sites. Current activity status is not explicitly detailed in available research, but the use of Steam Community profiles as C2 infrastructure suggests the campaign can remain active indefinitely without obvious indicators. Attackers can continue posting encoded instructions to their Steam profiles, and infected sites will continue fetching and executing those instructions unless the backdoor is removed.

Can WordPress site owners remove this malware themselves?

Removing the WordPress malware campaign requires technical expertise. Site owners comfortable with file system access and database administration can attempt removal by deleting injected code, removing the backdoor, and changing all credentials. However, the server-side backdoor’s persistence and the malware’s use of obfuscated code make manual removal risky—incomplete removal often leaves backdoors in place, allowing re-infection. Professional security services or managed WordPress hosting providers with malware remediation teams are strongly recommended for organizations lacking in-house expertise.

The WordPress malware campaign demonstrates how attackers weaponize trust in legitimate platforms to hide infrastructure and coordinate attacks. By exploiting Steam Community’s permanence, traffic volume, and low suspicion as a malware vector, this campaign bypasses traditional security detection. Site owners cannot afford to assume their WordPress installations are safe simply because they run updated plugins—this malware targets the WordPress core functionality itself through backdoors that persist even after patches are applied. Immediate auditing and professional remediation are the only reliable path to elimination.

Edited by the All Things Geek team.

Source: TechRadar

Share This Article
Tech writer at All Things Geek. Covers gaming, consoles, and interactive entertainment.