RSS

WordPress malware campaign hides payloads in Steam profiles

rndsignals1 pts0 comments

WordPress malware campaign hides payloads in Steam profiles

Home<br>News<br>Security<br>WordPress malware campaign hides payloads in Steam profiles

WordPress malware campaign hides payloads in Steam profiles

By Bill Toulas

June 1, 2026

01:04 PM

Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.

The threat actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve's platform, the attacker avoids maintaining a separate C2 infrastructure and evades traditional detection methods.

Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.

It is unclear how the hackers breach the websites, but researchers assess that the initial infection vector ranges from stolen admin logins or compromised FTP/SFTP credentials to the exploitation of a vulnerable WordPress theme or plugin, or a supply-chain compromise.

The first-stage malware planted on a website uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments.

However, the text includes hidden Unicode characters that conceal malicious payloads sometimes disguised as ASCII art.

Malicious Steam comment<br>Source: GoDaddy

GoDaddy researchers note in a report that the threat actor uses six invisible Unicode characters for the encoded payload:

Zero-width non-joiner (U+200C)

Zero-width joiner (U+200D)

Function application (U+2061)

Invisible times (U+2062)

Invisible separator (U+2063)

Invisible plus (U+2064)

The decoder ignores any visible character and maps the invisible ones to a corresponding number; then it converts them to binary representation and reconstructs bytes from the binary stream.

&ldquo;This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,&rdquo; GoDaddy says.

According to the researchers, the decoded payload is used to build a hello-mywordl[.]info URL serving JavaScript code that is injected into every frontend WordPress page.

Based on the file names (e.g., asahi-jquery-min-bundle and lodash.core.min.js), the retrieved malware is disguised as a legitimate JavaScript library.

The final stage of the attack is implementing a backdoor that responds to specially crafted POST requests that include a specific authentication cookie. If the "tEcaKKXEsb cookie is present, the backdoor accepts base64-encoded PHP code via POST parameter," the researchers explain.

POST request with the right cookie<br>Source: GoDaddy

GoDaddy describes several evasion mechanisms employed by the malware, including obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and the use of standard WordPress APIs, allowing it to blend with normal activity.

Site owners can defend by checking for references to Steam Community URLs, suspicious external JavaScript injections, outbound connections from WordPress servers to Steam, and unexpected scripts loading from domains such as hello-mywordl[.]info.

Other indicators include invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware's authentication cookies or the new_code parameter.

The researchers recommend that security teams prioritize restoring from a known good backup before the infection date. If this is not possible, the manual cleaning process should be thorough because "attackers can reinstall removed code through the backdoor if any component remains active."

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.<br>This guide covers the 6 surfaces you actually need to validate.

Download Now

Related Articles:

WordPress plugin suite hacked to push malware to thousands of sites<br>Chinese hackers target telcos with new Linux, Windows malware<br>Australia warns of ClickFix attacks pushing Vidar Stealer malware<br>Fake Claude AI website delivers new 'Beagle' Windows malware<br>New stealthy Quasar Linux malware targets software developers

Backdoor

C2

Command and Control

Malware

Steam

WordPress

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

ChatGPT share links abused to...

malware wordpress steam invisible characters godaddy

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.