Back

Malware Campaign Targets 2,000 WordPress Sites via Steam Profiles

Severity: High (Score: 69.0)

Sources: Securityaffairs.Co, Bleepingcomputer, www.godaddy.com

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: wordpress, malware, steam, godaddy, payloads, community, profile

Severity indicators: malware

Summary

A malware campaign has infected approximately 1,980 WordPress websites by hiding command-and-control data within Steam Community profiles. Discovered by GoDaddy Security in July 2025, the malware uses invisible Unicode characters to encode malicious payloads, allowing attackers to evade detection. The initial infection vector is unclear but may involve stolen admin credentials or exploiting vulnerabilities in themes or plugins. The malware fetches instructions from Steam profiles and injects malicious JavaScript into WordPress pages. Security experts recommend monitoring for suspicious activity related to Steam URLs and external JavaScript injections. Site owners are advised to restore from known good backups if compromised. The campaign highlights the innovative use of trusted platforms for malicious purposes. Key Points: • Nearly 2,000 WordPress sites infected with malware using Steam for command-and-control. • Malware encodes payloads using invisible Unicode characters to evade detection. • GoDaddy recommends monitoring for suspicious Steam URLs and restoring from backups.

Detailed Analysis

**Impact** Approximately 1,980 WordPress websites worldwide have been infected by this malware campaign. The affected sites span various sectors without specific geographic concentration reported. The malware enables persistent backdoor access, allowing attackers to execute arbitrary PHP code, potentially compromising site integrity, data confidentiality, and availability. Business operations relying on these WordPress sites may experience unauthorized data exposure and service disruption. **Technical Details** The malware uses WordPress page loads to fetch encoded command-and-control payloads hidden within Steam Community profile text via six invisible Unicode characters. The decoded payload constructs URLs to malicious JavaScript hosted on domains such as hello-mywordl[.]info, injected into every frontend page. The backdoor activates on POST requests with specific authentication cookies, accepting base64-encoded PHP code for remote execution. Infection vectors likely include stolen credentials, vulnerable plugins/themes, or supply-chain compromises. The malware employs obfuscation techniques like octal/hex string escapes, randomized function names, disabled logging, and uses standard WordPress APIs to evade detection. No CVEs or specific exploited vulnerabilities were identified. **Recommended Response** Defenders should prioritize restoring affected sites from clean backups predating the infection. If restoration is not feasible, thorough manual code review and removal of all malware components are required to prevent backdoor reinstallation. Monitoring should include detection of outbound connections to Steam Community URLs, suspicious external JavaScript injections, and POST requests containing the malware’s authentication cookies or the new_code parameter. Blocking domains such as hello-mywordl[.]info and scanning for invisible Unicode characters in site content are advised. No patches are specified; focus should be on credential security, plugin/theme updates, and supply-chain risk mitigation.

Source articles (4)

  • WordPress malware campaign hides payloads in Steam profiles — Bleepingcomputer · 2026-06-01
    Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile to hide command-and-control (C2) data. The threat actor used invisible Unicode characters to encode a…
  • WordPress malware campaign hides payloads in Steam profiles — Bleepingcomputer · 2026-06-01
    Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile to hide command-and-control (C2) data. The threat actor used invisible Unicode characters to encode a…
  • GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure — Securityaffairs.Co · 2026-06-02
    Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile using invisible Unicode. GoDaddy researchers spotted a command-and-control infrastructure for a malware campaign abu…
  • GoDaddy says — www.godaddy.com · 2026-06-02
    GoDaddy Security researchers have analyzed malware that uses an unconventional approach to command and control: encoding malicious payloads for WordPress within Steam Community profile . This techniqu…

Timeline

  • 2025-07-01 — Malware campaign first detected: GoDaddy Security identified malware using Steam profiles for command-and-control on WordPress sites.
  • 2026-06-01 — BleepingComputer reports on malware: BleepingComputer published findings on the malware campaign affecting nearly 2,000 WordPress sites.
  • 2026-06-02 — GoDaddy issues detailed analysis: GoDaddy released a technical breakdown of the malware's operation and its evasion techniques.
  • 2026-06-02 — SecurityAffairs coverage published: SecurityAffairs reported on the malware campaign and the use of Steam as a C2 infrastructure.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • CWE-94 - Code Injection (Cwe)
  • hello-mywordl.info (Domain)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1132 - Data Encoding (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Steam (Platform)
  • Steam Community (Platform)
  • WordPress (Platform)
  • Curl (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed