Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: steam (1 article)Clear

WordPress malware hides C2 in Steam profile comments using invisible Unicode - ~1,980 sites infected since July 2025

GoDaddy has documented a WordPress malware campaign that hides command-and-control data inside Steam Community profile comments, abusing Valve's platform to avoid running separate C2 infrastructure and evade detection. Around 1,980 WordPress sites have been infected since July 2025. The first-stage malware loads a Steam profile on each page view and extracts text from benign-looking comments that conceal a payload encoded with six invisible Unicode characters such as zero-width joiners. The decoder maps the invisible characters to bytes, reconstructs a URL to hello-mywordl[.]info, and injects JavaScript disguised as a legitimate library into every frontend page. The final stage is a backdoor that responds to POST requests carrying a specific authentication cookie.

Check
Audit WordPress sites for injected first-stage loaders calling Steam Community profiles and frontend JavaScript from hello-mywordl[.]info. Check admin accounts, FTP/SFTP credentials, and theme/plugin integrity.
Affected
WordPress sites compromised via stolen admin logins, weak FTP/SFTP credentials, or vulnerable themes/plugins. ~1,980 sites infected since July 2025 using Steam profile comments as a covert C2 channel.
Fix
Remove injected scripts and the POST-triggered backdoor. Rotate all WordPress admin and FTP/SFTP credentials. Patch themes/plugins. Block hello-mywordl[.]info and monitor web-server requests to Steam profile pages.