WordPress Malware Campaign Uses Steam Profiles to Hide Payloads

Security researchers have identified a WordPress malware campaign that uses Steam Community profile comments to conceal command-and-control data. Nearly 2,000 WordPress websites have reportedly been infected.

According to GoDaddy security engineers, the campaign was first uncovered in July 2025 and has since impacted approximately 1,980 WordPress sites. The exact initial infection method remains unclear, but researchers believe attackers may be gaining access through stolen WordPress admin credentials, compromised FTP/SFTP accounts, vulnerable themes or plugins, or a possible supply-chain compromise.

The malware’s first stage is planted on compromised WordPress sites and activates during page loads. It reaches out to specific Steam Community profiles and extracts data hidden inside normal-looking profile comments. While the comments appear harmless, they contain invisible Unicode characters that encode the attacker’s payload.

Researchers found that the malware uses six invisible Unicode characters to hide the encoded data:

Zero-width non-joiner, zero-width joiner, function application, invisible times, invisible separator, and invisible plus.

The decoder ignores visible characters and reads only the invisible ones. These characters are mapped to numbers, converted into binary, and then reconstructed into bytes. This allows the attacker to embed malicious instructions inside text that appears benign to users and security tools.

Once decoded, the payload builds a URL pointing to a malicious domain, hello-mywordl[.]info, which serves JavaScript that is injected into every frontend WordPress page. The malware disguises these scripts as legitimate JavaScript libraries by using filenames such as asahi-jquery-min-bundle and lodash.core.min.js.

The final stage installs a backdoor that responds to specially crafted POST requests containing a specific authentication cookie. If the required cookie is present, the backdoor accepts base64-encoded PHP code through a POST parameter, allowing the attacker to execute additional code on the compromised site.

GoDaddy also noted several evasion techniques, including obfuscated strings, randomized function names, fake disabled logging code, and the use of standard WordPress APIs to blend in with normal website activity.

Website owners and administrators should check for references to Steam Community URLs, suspicious external JavaScript injections, outbound connections from WordPress servers to Steam, and unexpected scripts loading from domains such as hello-mywordl[.]info. Other indicators include invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware’s authentication cookie or the new_code parameter.

GoDaddy recommends restoring affected websites from a known clean backup created before the infection date. If a clean backup is not available, administrators should perform a thorough manual cleanup. Leaving any part of the malware active may allow attackers to reinstall removed components through the backdoor.