A recently uncovered malware campaign is using Valve’s Steam Community profile comments to hijack roughly two thousand WordPress sites, leveraging invisible Unicode characters to hide command‑and‑control instructions. The activity was first detected in early June 2026 and has been linked to a series of compromises reported by GoDaddy researchers here. Victims range from small blogs to larger business portals that rely on WordPress for publishing.
The malware stores its C2 directives inside Steam comments by inserting zero‑width Unicode characters that are not visible in standard text displays, a technique known as steganography. These hidden strings are later reconstructed by a malicious JavaScript payload that pretends to be a legitimate library such as jQuery or an analytics snippet, as detailed in a technical write‑up here. Once loaded, the script opens a back door that watches for specific authentication cookies and, when present, evaluates injected PHP code supplied by the attacker.
Initial infection vectors appear to involve stolen administrator credentials or exploits in outdated plugins and themes, allowing threat actors to place the malicious script in the site’s header or footer. Indicators of compromise include unexpected outbound HTTP requests to Steam Community URLs and the presence of unusually long PHP files that contain base64‑encoded strings or eval statements. Researchers noted that the malicious code often masquerades as a harmless comment or metadata block.
GoDaddy’s telemetry shows active exploitation between 2 June and 4 June 2026, with approximately one thousand nine hundred and eighty sites showing signs of the infection. No common vulnerabilities and exposures identifiers have been assigned to the technique, and the threat actors behind the campaign have not been publicly identified. By repurposing a gaming platform as a C2 channel, the attackers blend malicious traffic with legitimate gaming activity, making detection harder for conventional security tools, a point highlighted in another analysis here.
Defenders should begin by auditing all user‑generated content, especially comments on Steam profiles that are displayed on their sites, for invisible Unicode characters using scripts that reveal zero‑width markers. Monitoring outbound traffic for connections to Steam domains and blocking any that are not required by legitimate services can limit the C2 channel. Administrators must also review PHP files for unexpected functions, remove any unfamiliar code, and enforce multi‑factor authentication on all administrative accounts.
Complete remediation involves restoring affected WordPress installations from a known clean backup, resetting all authentication cookies and passwords, and updating every plugin and theme to the latest vendor versions. Deploying a web application firewall rule that strips or rejects zero‑width Unicode characters from incoming requests adds a preventive layer. Finally, maintaining regular file integrity monitoring and logs of file changes helps ensure that any future reinfection is spotted quickly.