WordPress malware campaign hides payloads in Steam profiles
A malware campaign has compromised nearly 2,000 WordPress websites by using Steam Community profile comments as a command-and-control mechanism to hide malicious payloads.
A sophisticated malware campaign has successfully compromised approximately 1,980 WordPress websites by leveraging an unconventional command-and-control (C2) infrastructure: Steam Community profile comments. By embedding malicious payloads within invisible Unicode characters, the threat actors are able to bypass traditional security filters and maintain a persistent, stealthy connection to their botnet. This method allows the attackers to avoid hosting C2 servers on traditional infrastructure, significantly complicating detection and takedown efforts.
Security researchers at GoDaddy discovered that the malware uses a specific set of six invisible Unicode characters—including the zero-width non-joiner and various invisible mathematical symbols—to encode binary data. These characters are hidden within seemingly benign text or ASCII art posted on public Steam profiles. When an infected WordPress site loads, it executes a script that scrapes these profiles, decodes the hidden binary stream, and reconstructs the payload, which is then used to fetch further malicious instructions from the domain hello-mywordl[.]info.
Once the payload is retrieved, the malware disguises itself as legitimate JavaScript libraries, such as 'asahi-jquery-min-bundle' or 'lodash.core.min.js', to evade administrative scrutiny. The final stage of the infection involves the deployment of a backdoor that listens for specific POST requests. By including a unique authentication cookie, 'tEcaKKXEsb', the attacker can send base64-encoded PHP code to the server, granting them arbitrary code execution capabilities on the compromised WordPress environment.
While the exact initial infection vector remains unconfirmed, researchers suspect the attackers are gaining access through a combination of stolen administrative credentials, compromised FTP/SFTP accounts, or the exploitation of vulnerabilities in outdated WordPress themes and plugins. The malware employs several evasion techniques, including randomized function names, obfuscated strings using octal and hex escapes, and the deliberate disabling of logging mechanisms to blend in with standard server traffic.
Site administrators are urged to audit their environments for suspicious outbound connections to Steam Community URLs and unexpected external JavaScript injections. Indicators of compromise include the presence of the 'tEcaKKXEsb' cookie, unexpected 'new_code' POST parameters, and unusual cache entries in the WordPress transient table. Security teams should prioritize restoring from clean backups, as the backdoor's persistence mechanisms allow attackers to easily reinstall malicious components if the site is not thoroughly sanitized.