This malware campaign targets WordPress websites by embedding command-and-control data within Steam Community profile comments using six specific invisible Unicode characters. The malware extracts and decodes these hidden characters to reconstruct a payload URL that delivers malicious JavaScript code disguised as legitimate libraries. This code injects a backdoor into infected WordPress sites, which listens for POST requests containing a specific authentication cookie and base64-encoded PHP code, enabling remote code execution. The infection vector is not definitively known but may involve stolen credentials, vulnerable WordPress components, or supply-chain attacks. The malware employs multiple evasion techniques, including obfuscated strings, randomized function names, and use of WordPress APIs to blend with normal site activity. Detection indicators include references to Steam URLs, suspicious JavaScript injections, outbound connections to Steam, and specific authentication cookies in POST requests. Remediation requires thorough cleaning or restoration from backups to prevent reinfection via the backdoor.

The malware enables attackers to maintain persistent backdoor access to infected WordPress websites, allowing remote execution of arbitrary PHP code. This compromises the integrity and security of the affected sites, potentially leading to further malicious activities such as data theft, site defacement, or use in broader attack campaigns. The use of Steam profiles for command-and-control data obfuscates attacker infrastructure, complicating detection and mitigation efforts. Approximately 1,980 WordPress sites were affected as of the report date.

No official patch is available as this is a malware campaign rather than a software vulnerability. Site owners should prioritize restoring affected WordPress sites from known good backups created before the infection date. If restoration is not possible, a thorough manual cleaning is required to remove all malware components and backdoors, as attackers can reinstall malware if any part remains active. Monitoring for suspicious references to Steam Community URLs, unexpected external JavaScript injections, outbound connections to Steam, and POST requests containing the specific authentication cookie or new_code parameter can aid detection. Removing compromised credentials and updating all WordPress themes, plugins, and core software to the latest versions is recommended to reduce infection risk.