WordPress Sites Turned Into Spy Networks: Malware Hides C2 Commands in Steam Profile Comments Using Unicode Steganography

Security researchers at GoDaddy have uncovered a sophisticated malware campaign targeting WordPress websites that uses Steam Community profile pages as a covert command-and-control (C2) channel. The campaign has infected approximately 1,900 WordPress sites since it was first detected in July 2024, employing Unicode steganography to hide malicious commands inside Steam profile comment text — making it exceptionally difficult for conventional security tools to detect.

The C2 Mechanism: Steam as a Control Channel

Rather than maintaining dedicated C2 servers that can be identified and blocked, the attackers have embedded their control infrastructure inside Valve’s trusted gaming platform. The malware injects a PHP function into compromised WordPress installations that, on every page load, performs the following sequence:

• Sends an HTTP GET request via cURL to a Steam Community profile page
• Scrapes comment text from the profile
• Decodes malicious payloads hidden inside the comment text using invisible Unicode characters (zero-width and format characters)
• Caches extracted content using WordPress transients (prefix: transient_caption) with a five-minute expiration window
• Injects the decoded URL as a JavaScript file into every front-end page via wp_enqueue_script(), using the deceptive handle name asahi-jquery-min-bundle to mimic a legitimate library

The decoded external domain — hello-myworld[.]info — serves the final malicious JavaScript payload to every visitor of infected sites. PublicWWW scans confirm roughly 1,900 websites currently loading this domain.

Unicode Steganography: Hiding Commands in Plain Sight

The key innovation is the use of invisible Unicode characters to encode C2 data within Steam profile comments. These zero-width characters are completely invisible to the human eye and render as normal text on Steam’s platform. Traffic to steamcommunity.com appears entirely legitimate to network monitoring tools and firewalls, allowing C2 communication to pass through perimeter defenses undetected. The attacker can update commands simply by posting new comment text to a Steam profile — no attacker-controlled server infrastructure needs to change, making this channel highly resilient to takedown.

Observed Steam profiles used as C2 channels include steamcommunity.com/profiles/76561199096946028, steamcommunity.com/id/ravypadliha, and steamcommunity.com/id/enomisvool123/.

The Backdoor: Persistent Remote Code Execution

Beyond the front-end injection, the malware installs a sophisticated server-side backdoor providing persistent remote code execution. The backdoor registers a handler via WordPress’s template_redirect hook that listens for POST requests containing specific authentication cookies. Authentication cookie DEpjndDbNc triggers a keepalive ping response; cookie tEcaKKXEsb activates full RCE mode. In RCE mode, the backdoor accepts base64-encoded PHP code and rewrites plugin and theme files across the entire WordPress installation.

The communication channel is protected with AES-256-CTR encryption using PBKDF2 key derivation (SHA-512, 10,000 iterations) and HMAC-SHA256 authentication for payload integrity verification. This means defenders cannot read backdoor communications via network interception, and the backdoor can silently reinstall deleted malicious code even after partial cleanup by a site administrator.

Evasion Techniques

The malware employs multiple obfuscation layers to hinder analysis. All string constants are encoded using octal or hexadecimal escape sequences. Function and variable names follow a randomized mixed-case hexadecimal convention (e.g., Ce8d26cADf211699, EdF20922Ff709e68). A disabled logging function is scattered throughout the code to mimic legitimate debugging infrastructure without executing. Collectively, these techniques make static code analysis significantly more time-consuming and require manual reverse engineering to understand the malware’s behavior.

Indicators of Compromise (IoCs)

Security teams should monitor for the following indicators:

• Outbound cURL requests from web server processes to steamcommunity.com
• Script handle name asahi-jquery-min-bundle in WordPress enqueued scripts
• WordPress transient cache entries with prefix transient_caption
• Authentication cookies named DEpjndDbNc or tEcaKKXEsb in POST requests
• Any domain resolving to hello-myworld[.]info in outbound traffic

Remediation Steps for Affected Site Administrators

• Enable maintenance mode immediately and back up the complete site before making any changes
• Rotate all credentials: admin passwords, database access credentials, FTP, and SSH keys
• Remove and reinstall all plugins and themes from clean, verified sources — partial cleanup is insufficient given the backdoor’s code-restore capability
• Delete all WordPress transient cache entries with the prefix transient_caption
• Audit all enqueued scripts for entries pointing to unrecognized external domains
• Block outbound HTTP/HTTPS requests from the web server process to steamcommunity.com at the firewall level
• Consider deploying a Web Application Firewall (WAF) rule to block POST requests containing the known authentication cookie names

This campaign demonstrates how attackers are increasingly abusing legitimate, trusted platforms to hide malicious infrastructure — a trend that challenges traditional perimeter defenses and domain-reputation-based detection tools. Defenders must look beyond known-bad domains and analyze behavioral patterns of outbound traffic from web servers.