Back

Malware Campaign Targets WordPress via Steam Profiles

Severity: High (Score: 69.0)

Sources: Bleepingcomputer, www.godaddy.com

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: wordpress, malware, steam, godaddy, payloads, community, profile

Severity indicators: malware

Summary

A malware campaign has infected approximately 1,980 WordPress websites by hiding payloads within Steam Community profiles. The malware uses invisible Unicode characters to encode malicious payloads, allowing attackers to avoid traditional detection methods and maintain a covert command-and-control infrastructure. The campaign was first detected by GoDaddy Security in July 2025. The infection vector is believed to involve stolen admin credentials, compromised FTP/SFTP access, or exploitation of vulnerable themes/plugins. The malware constructs a URL to a malicious script that is injected into WordPress pages. It also implements a backdoor that responds to specific authentication cookies, enabling further exploitation. Security researchers recommend monitoring for suspicious activity related to Steam URLs and unexpected JavaScript injections. Key Points: • Approximately 1,980 WordPress sites infected with malware using Steam profiles for C2. • Malware employs invisible Unicode characters to encode payloads, evading detection. • Attackers may exploit stolen credentials or vulnerable plugins to gain initial access.

Detailed Analysis

**Impact** Approximately 1,980 WordPress websites have been infected globally since July 2025. The affected sites span various sectors without specific geographic concentration reported. The malware enables persistent backdoor access, risking site integrity, unauthorized code execution, and potential data compromise. Business operations may be disrupted by injected malicious scripts and unauthorized modifications to themes and plugins. **Technical Details** The malware uses WordPress page loads to fetch encoded payloads hidden in Steam Community profile text via six invisible Unicode characters, employing steganography and optional encryption. It constructs URLs to malicious JavaScript hosted on domains like hello-mywordl[.]info, injecting scripts disguised as legitimate libraries (e.g., lodash.core.min.js) into frontend pages. The backdoor responds to POST requests with specific authentication cookies, allowing remote code execution via base64-encoded PHP. Infection vectors likely include stolen credentials, vulnerable themes/plugins, or supply-chain compromises. Indicators include suspicious Steam URLs, invisible Unicode in text, _transient_caption_ cache entries, disabled SSL verification in cURL, and specific authentication cookies (DEpjndDbNc, tEcaKKXEsb). **Recommended Response** Prioritize restoring affected sites from known good backups predating the infection. Deploy detections for outbound connections to Steam Community profiles and scripts loading from suspicious domains like hello-mywordl[.]info. Monitor for POST requests containing the identified authentication cookies and base64-encoded payloads. Harden WordPress environments by securing admin credentials, updating themes/plugins, and auditing for unauthorized file modifications. If restoration is not possible, conduct thorough manual cleaning to remove all malware components and backdoors.

Source articles (2)

  • WordPress malware campaign hides payloads in Steam profiles — Bleepingcomputer · 2026-06-01
    Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile to hide command-and-control (C2) data. The threat actor used invisible Unicode characters to encode a…
  • GoDaddy says — www.godaddy.com · 2026-06-01
    GoDaddy Security researchers have analyzed malware that uses an unconventional approach to command and control: encoding malicious payloads for WordPress within Steam Community profile . This techniqu…

Timeline

  • 2025-07-01 — Malware campaign first detected: GoDaddy Security identified the malware campaign targeting WordPress sites, using Steam profiles for command and control.
  • 2026-06-01 — Current status of malware campaign: Nearly 2,000 WordPress websites are confirmed to be infected, with ongoing analysis of the malware's behavior.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • CWE-94 - Code Injection (Cwe)
  • hello-mywordl.info (Domain)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1132 - Data Encoding (Mitre Attack)
  • Steam (Platform)
  • Steam Community (Platform)
  • WordPress (Platform)
  • Curl (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed