WordPress malware marketing campaign hides payloads in Steam profiles

Just about 2,000 WordPress web sites had been inflamed with malware that will depend on Steam Neighborhood profile feedback to cover command-and-control (C2) knowledge.

The danger actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. Via leveraging Valve’s platform, the attacker avoids keeping up a separate C2 infrastructure and evades conventional detection strategies.

For the reason that marketing campaign was once first exposed in July 2025, GoDaddy safety engineers have discovered malware on roughly 1,980 WordPress web sites.

It’s unclear how the hackers breach the internet sites, however researchers assess that the preliminary an infection vector levels from stolen admin logins or compromised FTP/SFTP credentials to the exploitation of a prone WordPress theme or plugin, or a supply-chain compromise.

The primary-stage malware planted on a web page makes use of WordPress web page quite a bit to succeed in explicit Steam profiles and extract textual content from benign-looking feedback.

On the other hand, the textual content comprises hidden Unicode characters that cover malicious payloads from time to time disguised as ASCII artwork.

GoDaddy researchers observe in a file that the danger actor makes use of six invisible Unicode characters for the encoded payload:

• 0-width non-joiner (U+200C)
• 0-width joiner (U+200D)
• Serve as utility (U+2061)
• Invisible instances (U+2062)
• Invisible separator (U+2063)
• Invisible plus (U+2064)

The decoder ignores any visual persona and maps the invisible ones to a corresponding quantity; then it converts them to binary illustration and reconstructs bytes from the binary move.

“This encoding lets in binary knowledge to be embedded inside normal-looking textual content. The visual characters function camouflage whilst the invisible characters elevate the real payload,” GoDaddy says.

In step with the researchers, the decoded payload is used to construct a hello-mywordl[.]data URL serving JavaScript code this is injected into each and every frontend WordPress web page.

In line with the document names (e.g., asahi-jquery-min-bundle and lodash.core.min.js), the retrieved malware is disguised as a sound JavaScript library.

The general level of the assault is imposing a backdoor that responds to specifically crafted POST requests that come with a selected authentication cookie. If the “tEcaKKXEsb cookie is provide, the backdoor accepts base64-encoded PHP code by the use of POST parameter,” the researchers provide an explanation for.

GoDaddy describes a number of evasion mechanisms hired via the malware, together with obfuscated strings the use of octal and hex escapes, randomized serve as names, pretend disabled logging code, and the usage of same old WordPress APIs, permitting it to mix with typical task.

Website online homeowners can shield via checking for references to Steam Neighborhood URLs, suspicious exterior JavaScript injections, outbound connections from WordPress servers to Steam, and sudden scripts loading from domain names comparable to hello-mywordl[.]data.

Different signs come with invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware’s authentication cookies or the new_code parameter.

The researchers counsel that safety groups prioritize restoring from a identified excellent backup earlier than the an infection date. If this isn’t imaginable, the guide cleansing procedure will have to be thorough as a result of “attackers can reinstall got rid of code in the course of the backdoor if any part stays lively.”