GoDaddy has documented a WordPress malware campaign that hides command-and-control data inside Steam Community profile comments, abusing Valve's platform to avoid running separate C2 infrastructure and evade detection. Around 1,980 WordPress sites have been infected since July 2025. The first-stage malware loads a Steam profile on each page view and extracts text from benign-looking comments that conceal a payload encoded with six invisible Unicode characters such as zero-width joiners. The decoder maps the invisible characters to bytes, reconstructs a URL to hello-mywordl[.]info, and injects JavaScript disguised as a legitimate library into every frontend page. The final stage is a backdoor that responds to POST requests carrying a specific authentication cookie.