WordPress malware campaign hides payloads in Steam profiles

WordPress Malware Campaign Hides Payloads in Steam Profiles

OverviewA stealthy campaign targeting WordPress websites used Steam Community profiles as an unconventional channel to hide and deliver malicious payloads. Security researchers have observed that nearly two thousand WordPress sites were compromised and used to retrieve encoded data from benign-looking Steam profile comments. The attackers leveraged invisible Unicode characters within those comments to carry a hidden payload, which is then decoded into a functioning script. By building a path through Valve’s platform, the threat actor avoided a separate command-and-control infrastructure and blended with normal traffic patterns, making detection more challenging.

Infection Vectors and Initial AccessThe exact method of breach into WordPress sites remains unclear. Investigators suggest several plausible routes, including:

• Stolen administrator credentials for WordPress or hosting control panels
• Compromised FTP/SFTP credentials
• Exploitation of a vulnerable WordPress theme or plugin
• Supply-chain compromise affecting plugins or themes

Once access is gained, the first-stage malware leverages standard WordPress page loads to contact specific Steam profiles. There, it extracts text from comments that appear harmless at first glance. The malicious payload is concealed within those comments using a set of invisible characters, making the embedded instructions invisible to the casual observer.

Hidden payloads in Steam commentsThe core trick relies on six invisible Unicode characters placed in conjunction with ordinary visible text. These characters encode data that the decoding routine interprets as binary information. The six characters are:

• Zero-width non-joiner (U+200C)
• Zero-width joiner (U+200D)
• Function application (U+2061)
• Invisible times (U+2062)
• Invisible separator (U+2063)
• Invisible plus (U+2064)

In practice, the decoder scans the text and ignores all visible characters, mapping the invisible ones to numbers, converting those numbers to a binary stream, and reconstructing bytes that form the actual payload. This technique allows binary data to be embedded in ordinary text while remaining camouflaged from quick inspection.

From Payload to ScriptAfter decoding, the payload constructs a URL pointing to a domain that hosts JavaScript code. The requests resolve to a site that appears legitimate but serves malicious scripts injected into frontend WordPress pages. The retrieved JavaScript is often disguised as legitimate libraries, bearing names such as asahi-jquery-min-bundle or lodash.core.min.js. This disguises the malware as a harmless utility rather than a hostile payload, aiding in evading simple file integrity checks and casual inspections.

The final stage is the deployment of a backdoor. The backdoor is designed to respond to specially crafted POST requests that include a precise authentication cookie. If the cookie is present, the backdoor accepts base64-encoded PHP code delivered via a POST parameter. This creates a covert channel for remote code execution on compromised WordPress sites, enabling attackers to run arbitrary commands or further expand control.

Evasion TechniquesResearchers identified several evasion strategies used to maintain stealth and hinder analysis, including:

• Obfuscated strings that employ octal and hex escapes
• Randomized function names to disrupt pattern-based detections
• Fake disabled logging code that misleads debugging efforts
• Dependence on standard WordPress APIs to blend with legitimate activity

Additionally, the malware uses common WordPress behaviors and trusted code paths to avoid triggering alarms during routine checks, further complicating detection by defenders who monitor typical web application traffic.

Indicators of Compromise and DetectionSite owners and security teams can look for several telltale signs of this campaign:

• References to Steam Community URLs embedded within website code or comments
• External JavaScript injections loaded from domains associated with the attack, such as the hello-mywordl[.]info domain
• Outbound connections from WordPress servers to Steam or to the malicious payload host
• Scripts loading from unusual or untrusted domains that do not align with the site’s normal tech stack
• The presence of invisible Unicode characters within text fields or comments
• Unusual cache entries, especially entries labeled transientcaption_
• SSL verification disabled in cURL requests performed by the site
• POST requests containing suspicious authentication cookies or a new_code parameter used by the backdoor

Decoded payloads and backdoor activityThe decoded data typically leads to a JavaScript payload served from a domain that mirrors legitimate JavaScript libraries, but with malicious intent. The backdoor listens for specific POST patterns and cookie values. The presence of the tEcaKKXEsb cookie is a notable trigger for enabling the backdoor to process base64-encoded PHP code. This layered approach—first stealthy data exfiltration via encoded text, then a JavaScript-based front end, and finally a backdoor activated by particular authentication cues—creates a challenging, multi-stage threat that can persist across multiple WordPress sites.

Campaign History and ScaleThe campaign came to light in mid-2025, with GoDaddy security engineers reporting detections across approximately 1,980 WordPress websites. While the precise infection vector for each site may vary, the overall pattern remains consistent: a compromised WordPress environment uses Steam profile comments as a covert communications channel to deliver and activate malicious code. The use of Steam as a covert data carrier is unusual and demonstrates how attackers leverage popular platforms to mask their operations and avoid raising immediate suspicion.

Possible exposure vectors

• Breached credentials: stolen admin or hosting credentials enabling access
• Credential reuse: attackers leverage compromised accounts across multiple sites
• Plugin or theme vulnerabilities: exploitation of outdated, vulnerable components
• Supply-chain risks: compromised plugin/theme developers or distribution channels

Payload lifecycle and operational implications

• Initial compromise: WordPress environment is harvested or compromised
• Data exfiltration channel: Steam profile comments used to carry encoded payloads
• Payload reconstruction: invisible Unicode characters are decoded into binary data
• Frontend injection: JavaScript from disguised library-like files is injected into pages
• Backdoor activation: specially crafted POST requests with a specific cookie unlock remote code execution
• Evasion and persistence: obfuscation, randomization, and standard API usage help evade detection and maintain presence

Context and takeawaysThis campaign underscores the creative scope of modern malware operations. Adversaries are increasingly exploiting legitimate platforms and common technologies to hide their instructions and to blend in with normal traffic patterns. The combination of a lightweight first-stage loader, a clever encoding scheme using invisible characters, and a robust backdoor mechanism demonstrates how attackers can leverage multiple layers of obfuscation to achieve persistence and remote access without immediately triggering alerting systems.

ConclusionWordPress environments remain a fertile ground for attackers seeking low-friction footholds and broad reach. By embedding malicious payloads in seemingly benign Steam profile comments and then decoding them into actionable JavaScript served on compromised WordPress sites, threat actors push the boundaries of covert operations. The campaign highlights the need for vigilant monitoring of unusual external references, strict validation of third-party components, and rigorous credential hygiene to reduce the likelihood of infection and to limit the scope of potential backdoors that can be activated through non-standard request patterns. As the landscape evolves, defenders must remain attentive to unconventional data carriers and the subtle cues that accompany multi-stage malware campaigns.