GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure
GoDaddy researchers discovered malware on approximately 1,980 WordPress sites that use the Steam gaming platform's community profile comments as a covert command-and-control (C2) channel. The malware encodes instructions using invisible Unicode characters embedded in seemingly innocuous ASCII art comments on Steam profiles. These instructions direct infected WordPress sites to load malicious JavaScript mimicking legitimate libraries and install a persistent backdoor. The backdoor listens for specific authentication cookies and can receive and execute base64-encoded PHP code to modify plugin and theme files, enabling attackers to maintain persistence even after partial cleanup. Initial infection vectors are unconfirmed but likely include stolen credentials or vulnerable plugins. Detection involves monitoring outbound connections to Steam URLs, suspicious script references, and specific cookie names in POST requests. Remediation requires full removal of all malicious components or restoration from a clean backup predating the infection.
AI Analysis
Technical Summary
GoDaddy security researchers identified a malware campaign infecting about 1,980 WordPress sites that use Valve's Steam Community profile comments as a novel command-and-control infrastructure. The malware hides binary payloads within invisible Unicode characters embedded in Steam comments, which appear as ASCII art. These payloads instruct infected sites to load a malicious JavaScript file disguised as a legitimate library and install a backdoor that listens for authentication cookies in POST requests. The backdoor allows attackers to send base64-encoded PHP code to modify plugin and theme files, enabling persistent remote code execution and self-updating capabilities. The malware employs multiple layers of obfuscation, including octal/hex escape sequences and standard WordPress API calls, complicating detection. Infection vectors are not confirmed but likely include compromised credentials or vulnerable components. Indicators include outbound connections to Steam URLs, references to a suspicious domain (hello-mywordl[.]info), presence of invisible Unicode characters in PHP files, and specific cookie names in network traffic. Cleanup requires complete removal of all malicious code or restoration from a clean backup, as partial removal can be undone by the backdoor.
Potential Impact
The malware enables attackers to maintain persistent remote code execution on infected WordPress sites by installing a backdoor capable of rewriting PHP code in plugins and themes. This persistence mechanism allows attackers to reinstate malicious components even after partial cleanup attempts. The use of Steam Community comments as a covert C2 channel complicates detection and attribution. The malicious JavaScript injection affects every frontend page, potentially impacting site visitors and site integrity. The infection compromises site security, potentially leading to data breaches, site defacement, or further malware distribution. The campaign affected nearly 2,000 WordPress sites, indicating a widespread impact.
Mitigation Recommendations
No official patch or vendor advisory is provided. Remediation requires restoring infected sites from known-clean backups predating the infection whenever possible. If backups are unavailable or unreliable, manual cleanup must be thorough: remove all malicious code from plugin and theme files, clear suspicious WordPress transients from the database, verify no malicious scripts remain enqueued, and update WordPress core, plugins, and themes to their latest versions. Detection should focus on identifying outbound connections to Steam Community URLs, references to the malicious domain hello-mywordl[.]info, presence of invisible Unicode characters in PHP files, and POST requests containing specific cookie names (DEpjndDbNc or tEcaKKXEsb) or parameters (new_code). Partial cleanup is insufficient due to the backdoor's ability to reinstall removed components.
GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure
Description
GoDaddy researchers discovered malware on approximately 1,980 WordPress sites that use the Steam gaming platform's community profile comments as a covert command-and-control (C2) channel. The malware encodes instructions using invisible Unicode characters embedded in seemingly innocuous ASCII art comments on Steam profiles. These instructions direct infected WordPress sites to load malicious JavaScript mimicking legitimate libraries and install a persistent backdoor. The backdoor listens for specific authentication cookies and can receive and execute base64-encoded PHP code to modify plugin and theme files, enabling attackers to maintain persistence even after partial cleanup. Initial infection vectors are unconfirmed but likely include stolen credentials or vulnerable plugins. Detection involves monitoring outbound connections to Steam URLs, suspicious script references, and specific cookie names in POST requests. Remediation requires full removal of all malicious components or restoration from a clean backup predating the infection.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GoDaddy security researchers identified a malware campaign infecting about 1,980 WordPress sites that use Valve's Steam Community profile comments as a novel command-and-control infrastructure. The malware hides binary payloads within invisible Unicode characters embedded in Steam comments, which appear as ASCII art. These payloads instruct infected sites to load a malicious JavaScript file disguised as a legitimate library and install a backdoor that listens for authentication cookies in POST requests. The backdoor allows attackers to send base64-encoded PHP code to modify plugin and theme files, enabling persistent remote code execution and self-updating capabilities. The malware employs multiple layers of obfuscation, including octal/hex escape sequences and standard WordPress API calls, complicating detection. Infection vectors are not confirmed but likely include compromised credentials or vulnerable components. Indicators include outbound connections to Steam URLs, references to a suspicious domain (hello-mywordl[.]info), presence of invisible Unicode characters in PHP files, and specific cookie names in network traffic. Cleanup requires complete removal of all malicious code or restoration from a clean backup, as partial removal can be undone by the backdoor.
Potential Impact
The malware enables attackers to maintain persistent remote code execution on infected WordPress sites by installing a backdoor capable of rewriting PHP code in plugins and themes. This persistence mechanism allows attackers to reinstate malicious components even after partial cleanup attempts. The use of Steam Community comments as a covert C2 channel complicates detection and attribution. The malicious JavaScript injection affects every frontend page, potentially impacting site visitors and site integrity. The infection compromises site security, potentially leading to data breaches, site defacement, or further malware distribution. The campaign affected nearly 2,000 WordPress sites, indicating a widespread impact.
Mitigation Recommendations
No official patch or vendor advisory is provided. Remediation requires restoring infected sites from known-clean backups predating the infection whenever possible. If backups are unavailable or unreliable, manual cleanup must be thorough: remove all malicious code from plugin and theme files, clear suspicious WordPress transients from the database, verify no malicious scripts remain enqueued, and update WordPress core, plugins, and themes to their latest versions. Detection should focus on identifying outbound connections to Steam Community URLs, references to the malicious domain hello-mywordl[.]info, presence of invisible Unicode characters in PHP files, and POST requests containing specific cookie names (DEpjndDbNc or tEcaKKXEsb) or parameters (new_code). Partial cleanup is insufficient due to the backdoor's ability to reinstall removed components.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:malware","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["malware"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a1e83c0e29bf47b50a0209b
Added to database: 6/2/2026, 7:18:24 AM
Last enriched: 6/2/2026, 7:18:33 AM
Last updated: 6/2/2026, 8:20:24 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.