WordPress Malware Abuses Steam Profiles for C2 Operations

Cybersecurity researchers have uncovered a novel malware campaign compromising WordPress websites that leverages an unexpected vector for its command-and-control (C2) operations: legitimate Steam community profiles. This sophisticated threat, detailed in a recent report, highlights an evolving landscape where attackers exploit popular platforms to evade detection and maintain persistence.

Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel.

The malware works in two stages. First, it injects malicious JavaScript into the front end of a compromised WordPress website, serving harmful content to every visitor who lands on the page.

Second, it plants a server-side backdoor that gives attackers persistent remote access, allowing them to modify WordPress plugin and theme files without any visible trace of the intrusion.

GoDaddy security researchers identified this campaign, noting it was first detected in July 2024 and has since been found across approximately 1,900 WordPress sites. 

GoDaddy said in a report shared with Cyber Security News (CSN) that threat actors are deliberately disguising their infrastructure behind Valve’s trusted gaming platform rather than maintaining obviously malicious servers that could be flagged and taken down quickly.

What makes this campaign particularly difficult to detect is how the malware conceals its payloads. It uses invisible Unicode characters, a technique known as steganography, to encode malicious data within Steam profile comment text.

Since those hidden characters look like completely normal text on the surface, traditional text-based scanning tools are far less likely to catch them during routine checks.

The reach of this campaign is significant. Compromised websites unknowingly serve injected scripts to every visitor, exposing real users to potential harm. For site owners, the damage runs deeper, as the backdoor gives attackers the ability to rewrite site code even after partial cleanup attempts.

WordPress Malware Abuses Steam Community Profiles

The core of this attack relies on a PHP function embedded within the compromised WordPress installation.

When any page on the infected site loads, the malware sends an HTTP request to a Steam Community profile page using cURL, scrapes comment text from that profile, and decodes hidden payloads embedded inside it.

The malware has been observed fetching profiles such as steamcommunity.com/profiles/76561199096946028 and caches extracted content using WordPress transients with a five-minute expiration window.

The decoded data becomes a JavaScript URL injected into every front-end page via the wp_enqueue_script hook, under the deceptive handle name “asahi-jquery-min-bundle” designed to mimic a legitimate library.

The decoded external URL observed during analysis pointed to hello-myworld[.]info, which serves the final malicious JavaScript payload to site visitors.

Stealthy Backdoor Enables Remote Code Execution

The server-side component is just as dangerous as the front-end injection. A backdoor function registered through WordPress’s template_redirect hook listens for POST requests containing specific authentication cookies.

When those cookies are present, the backdoor either confirms it is active by returning a version string, or accepts base64-encoded PHP code and rewrites plugin and theme files across the entire WordPress installation.

This remote code execution capability means that even if a site owner removes part of the infection, attackers can reinstall deleted code through the still-active backdoor.

The malware protects this channel using AES-256-CTR encryption with PBKDF2 key derivation based on SHA-512 and 10,000 iterations, along with HMAC-SHA256 authentication to verify each incoming payload.

To evade detection, the malware layers multiple obfuscation techniques. All string constants are encoded using octal or hexadecimal escape sequences, function and variable names follow a randomized mixed-case hexadecimal style, and a disabled logging function is scattered through the code to mimic legitimate debugging infrastructure without ever executing.

Site administrators who suspect an infection should enable maintenance mode right away and back up the compromised installation before making any changes.

All WordPress credentials including admin passwords, database access, FTP credentials, and SSH keys must be rotated. Cleanup must cover every plugin and theme file, since partial removal is not enough given the backdoor’s ability to remotely restore deleted code.

Suspicious transient cache entries with the prefix transient_caption and enqueued external scripts pointing to unknown domains should be removed.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.