CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

WordPress Malware Abuses Steam Community Profiles for C2 Operations

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community. Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel. The malware works in two […] The post WordPress Malware Abuses Steam Community Profiles for C2 Operations appeared first on Cyber Securit

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News WordPress Malware Abuses Steam Community Profiles for C2 Operations By Tushar Subhra Dutta June 2, 2026 A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community. Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel. The malware works in two stages. First, it injects malicious JavaScript into the front end of a compromised WordPress website, serving harmful content to every visitor who lands on the page. Second, it plants a server-side backdoor that gives attackers persistent remote access, allowing them to modify WordPress plugin and theme files without any visible trace of the intrusion. GoDaddy security researchers identified this campaign, noting it was first detected in July 2024 and has since been found across approximately 1,900 WordPress sites.  GoDaddy said in a report shared with Cyber Security News (CSN) that threat actors are deliberately disguising their infrastructure behind Valve’s trusted gaming platform rather than maintaining obviously malicious servers that could be flagged and taken down quickly. What makes this campaign particularly difficult to detect is how the malware conceals its payloads. It uses invisible Unicode characters, a technique known as steganography, to encode malicious data within Steam profile comment text. Since those hidden characters look like completely normal text on the surface, traditional text-based scanning tools are far less likely to catch them during routine checks. Example of Steam commentthread_comment_text content (Source – GoDaddy) The reach of this campaign is significant. Compromised websites unknowingly serve injected scripts to every visitor, exposing real users to potential harm. For site owners, the damage runs deeper, as the backdoor gives attackers the ability to rewrite site code even after partial cleanup attempts. WordPress Malware Abuses Steam Community Profiles The core of this attack relies on a PHP function embedded within the compromised WordPress installation. When any page on the infected site loads, the malware sends an HTTP request to a Steam Community profile page using cURL, scrapes comment text from that profile, and decodes hidden payloads embedded inside it. The malware has been observed fetching profiles such as steamcommunity.com/profiles/76561199096946028 and caches extracted content using WordPress transients with a five-minute expiration window. PublicWWW results showing websites loading hello-mywordl[.]info (Source – GoDaddy) The decoded data becomes a JavaScript URL injected into every front-end page via the wp_enqueue_script hook, under the deceptive handle name “asahi-jquery-min-bundle” designed to mimic a legitimate library. The decoded external URL observed during analysis pointed to hello-myworld[.]info, which serves the final malicious JavaScript payload to site visitors. Stealthy Backdoor Enables Remote Code Execution The server-side component is just as dangerous as the front-end injection. A backdoor function registered through WordPress’s template_redirect hook listens for POST requests containing specific authentication cookies. When those cookies are present, the backdoor either confirms it is active by returning a version string, or accepts base64-encoded PHP code and rewrites plugin and theme files across the entire WordPress installation. This remote code execution capability means that even if a site owner removes part of the infection, attackers can reinstall deleted code through the still-active backdoor. The malware protects this channel using AES-256-CTR encryption with PBKDF2 key derivation based on SHA-512 and 10,000 iterations, along with HMAC-SHA256 authentication to verify each incoming payload. To evade detection, the malware layers multiple obfuscation techniques. All string constants are encoded using octal or hexadecimal escape sequences, function and variable names follow a randomized mixed-case hexadecimal style, and a disabled logging function is scattered through the code to mimic legitimate debugging infrastructure without ever executing. Site administrators who suspect an infection should enable maintenance mode right away and back up the compromised installation before making any changes. All WordPress credentials including admin passwords, database access, FTP credentials, and SSH keys must be rotated. Cleanup must cover every plugin and theme file, since partial removal is not enough given the backdoor’s ability to remotely restore deleted code. Suspicious transient cache entries with the prefix transient_caption and enqueued external scripts pointing to unknown domains should be removed. Indicators of Compromise (IoCs):- Type Indicator Description URL https://steamcommunity.com/profiles/76561199096946028/ Steam profile used to host encoded C2 payloads URL https://steamcommunity.com/id/ravypadliha Steam profile observed during malware fetching URL https://steamcommunity.com/id/enomisvool123/ Steam profile observed during malware fetching URL https://steamcommunity.com/id/eremohnf342 Steam profile observed during malware fetching Domain hello-myworld[.]info External domain serving the decoded malicious JavaScript payload Cookie Name DEpjndDbNc Authentication cookie used to trigger backdoor ping/keepalive response Cookie Name tEcaKKXEsb Authentication cookie used to trigger remote code execution via backdoor File Path /wp-content/themes/gt3-child/functions.php File path where malware was initially discovered Handle Name asahi-jquery-min-bundle Deceptive script handle name used to inject malicious JavaScript Transient Prefix transient_caption WordPress transient cache prefix used to store C2 data Function Name Ce8d26cADf211699 PHP function responsible for fetching Steam profile content Function Name EdF20922Ff709e68 PHP function performing cryptographic decoding of payloads Function Name G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 PHP function injecting decoded script into WordPress front end Function Name mpzZYIbGOb PHP backdoor handler function registered via template_redirect Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware Mustang Panda Deploys PlugX RAT Through Multi-Stage LNK and PowerShell Attack Chain Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware Latest News Cyber Security Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic Cyber Security Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages Cyber Security News Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones Press Release Halo Security Honored with 2026 MSP Today Product of the Year Award Cyber Security News CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗