Ethical Hacking News
Malware has been discovered on approximately 1,980 WordPress sites, embedding C2 instructions within invisible Unicode characters used in Steam Community profile comments. The malware is designed to bypass detection through its use of legitimate-looking JavaScript files and encryption methods. To remove the malware, users must follow a multi-stage process involving backups, code removal, and theme updates.
Malware was found on approximately 1,980 WordPress sites, hiding C2 instructions in Steam profile comments. The malware used invisible Unicode characters to encode its payload within seemingly innocuous comments. The malware employed an unconventional approach to command and control, leveraging online gaming communities for anonymity. The encoding scheme made it nearly undetectable to the human eye. The malware injected a script into every WordPress frontend page via the wp_enqueue_scripts hook. The server-side component of the malware installed a backdoor that listened on every WordPress page load and checked for specific authentication cookies. The removal of this malware requires a multi-stage process involving identifying the initial infection vector and searching for specific indicators. Comprehensive security measures are crucial to prevent partial cleanup from being sufficient due to the remote code rewriting capability of this malware.
Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile comments using invisible Unicode.
In a shocking discovery, GoDaddy researchers have identified malware that has been embedded on approximately 1,980 WordPress sites, utilizing Valve's popular gaming platform, Steam, as a covert Command and Control (C2) infrastructure. The malicious software (malware) cleverly conceals its payload within seemingly innocuous comments left on Steam Community profile pages, using invisible Unicode characters to encode the malicious instructions.
The malware in question employs an unconventional approach to command and control, leveraging the anonymity of online gaming communities to spread its reach without arousing suspicion from users. The experts found that the malware strips all visible characters from the comment, maps each invisible character to a number between 0 and 5, converts those numbers to binary, and then reconstructs bytes from the binary stream before applying a bitwise NOT operation to each byte.
This encoding scheme allows binary data to be embedded within normal-looking text, rendering it nearly undetectable to the human eye. The visible characters serve as camouflage while the invisible characters carry the actual payload, making this an ingenious and complex tactic employed by the attackers. Furthermore, some variants of the malware are further protected with AES-256-CTR encryption, PBKDF2 key derivation with 10,000 iterations, and HMAC-SHA256 authentication.
The decoded output from these encoded instructions builds a URL pointing to hello-mywordl[.]info, which serves a JavaScript file called lodash.core.min.js. This name is deliberately chosen to mimic a legitimate, widely used JavaScript library. The malware injects this script into every WordPress frontend page via the wp_enqueue_scripts hook using the handle "asahi-jquery-min-bundle," another name carefully crafted to appear like standard infrastructure.
This tactic makes it nearly impossible for someone scanning a site for suspicious scripts to find the actual payload hidden within convincingly named files. The server-side component of this malware is even more perilous than the JavaScript injection, as it installs a backdoor that listens on every WordPress page load and checks for two specific authentication cookies in incoming POST requests.
The first cookie triggers a ping response that tells the attacker the backdoor is still active and returns a version identifier. The second cookie is the destructive one, which accepts base64-encoded PHP code via POST parameter. This means an attacker can send updated PHP code to overwrite lines with new code using this obfuscated backdoor function.
The removal of this malware requires a multi-stage process that involves identifying the initial infection vector — likely stolen WordPress admin credentials, compromised FTP or SFTP access, a vulnerable plugin or theme, or a supply chain compromise. Detection starts with specific indicators, such as outbound connections from a WordPress server to Steam Community URLs and references to hello-mywordl[.]info in loaded scripts.
The experts recommend looking for invisible Unicode character arrays containing U+200C, U+200D, or U+2061 through U+2064, or cryptographic functions like hash_pbkdf2 and openssl_decrypt with AES-256-CTR mode appearing in plugin or theme files. On the network side, POST requests containing cookie names DEpjndDbNc or tEcaKKXEsb or a POST parameter named new_code indicate active backdoor use.
If an infection is detected, restoration from a clean backup before the infection date should be prioritized whenever possible. However, if backups are unavailable or unreliable, manual remediation requires searching for and removing malicious code from all plugin and theme files, clearing suspicious WordPress transients from the database, verifying that no malicious scripts remain enqueued, and updating WordPress core along with all plugins and themes to current versions.
The key takeaway here is that partial cleanup may not be sufficient due to the remote code rewriting capability of this malware. Attackers can reinstall removed code through the backdoor if any component remains active, highlighting the critical need for comprehensive security measures against such sophisticated threats.
In conclusion, this discovery showcases the ever-evolving sophistication of malware and its use of seemingly innocuous platforms like Steam as covert infrastructure. It serves as a reminder to stay vigilant in our online activities, particularly when using public forums or platforms where malicious actors can easily hide their tracks.
Related Information:
https://www.ethicalhackingnews.com/articles/Steam-Sniffed-Malware-How-1980-WordPress-Sites-Were-Compromised-ehn.shtml
https://securityaffairs.com/192990/breaking-news/godaddy-found-malware-on-1980-wordpress-sites-using-steam-as-c2-infrastructure.html
https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles
Published: Tue Jun 2 01:59:32 2026 by llama3.2 3B Q4_K_M
