A new WordPress‑focused malware family pulls command‑and‑control data from hidden Unicode characters in Steam profile comments, allowing attackers to bypass traditional detection and maintain a low‑profile C2 channel.
A stealthy link between WordPress and Steam
In the summer of 2025, security engineers at GoDaddy uncovered a campaign that had silently infected nearly 2,000 WordPress sites. The twist? The malware’s command‑and‑control (C2) traffic was not hosted on a typical malicious domain but buried inside Steam Community profile comments. By sprinkling a handful of invisible Unicode characters into otherwise benign‑looking text, the attackers could retrieve binary payloads without ever exposing a dedicated C2 server.
Malicious Steam comment captured by GoDaddy researchers
How the infection works
Initial compromise – The first‑stage loader arrives on a WordPress site through one of several common vectors: stolen admin credentials, compromised FTP/SFTP accounts, exploitation of a vulnerable theme or plugin, or a supply‑chain breach affecting a popular component.
Fetching the Steam profile – Once on the server, the loader makes a standard HTTP request to a hard‑coded Steam Community URL. The request is performed via WordPress’s own HTTP API, which means it blends with normal outbound traffic and avoids triggering outbound‑traffic alerts.
Decoding invisible characters – The comment retrieved from the profile looks like ordinary ASCII art. Hidden among the visible glyphs are six zero‑width Unicode characters:
- U+200C – Zero‑width non‑joiner
- U+200D – Zero‑width joiner
- U+2061 – Function application
- U+2062 – Invisible times
- U+2063 – Invisible separator
- U+2064 – Invisible plus
A custom decoder strips away every visible character, maps each invisible code point to a numeric value, and then reconstructs a binary stream. The resulting bytes form a URL such as
http://hello‑mywordl.info/….Loading the malicious script – The URL points to a JavaScript file masquerading as a legitimate library (e.g.,
asahi‑jquery‑min‑bundle.jsorlodash.core.min.js). The script is injected into every front‑end page via WordPress’swp_enqueue_scripthook, allowing the attacker to run code in the context of site visitors.Backdoor activation – The final stage sets up a hidden backdoor that listens for POST requests containing a specific authentication cookie (
tEcaKKXEsb). When the cookie is present, the backdoor accepts a Base64‑encoded PHP payload via thenew_codeparameter and executes it with the web‑server’s privileges.
Expert perspective
“Embedding C2 data in a high‑traffic, trusted platform like Steam is a clever way to sidestep network‑based detection,” says Dr. Maya Patel, senior threat analyst at the SANS Institute. “The use of zero‑width characters makes static file scans almost useless because the malicious bytes are invisible to the naked eye and to many regex‑based scanners.”
GoDaddy’s own research team, led by Bill Toulas, adds that the malware also employs classic WordPress evasion tricks: randomized function names, octal/hex string obfuscation, and deliberately disabled logging calls that appear to be dead code.
Practical steps for defenders
| Indicator | What to look for |
|---|---|
| Steam URLs | Any outbound request from your web server to steamcommunity.com that is not part of a known integration (e.g., OAuth). |
| Invisible Unicode | Files containing zero‑width characters. Use a command like `grep -P "\x{200C} |
| Suspicious script names | JavaScript files named asahi‑jquery‑min‑bundle.js, lodash.core.min.js, or similar that are not part of your theme or plugins. |
| Backdoor cookie | Requests that include the tEcaKKXEsb cookie. Check access logs for Cookie: tEcaKKXEsb= patterns. |
POST with new_code |
Look for POST bodies containing long Base64 strings, especially when combined with the authentication cookie. |
| transient_caption entries | Unexpected transients in the WordPress options table (wp_options) that reference Steam URLs. |
Remediation checklist
- Isolate the affected host to stop further outbound calls.
- Search for the six zero‑width characters across the codebase and remove any matches.
- Remove any unknown JavaScript files that match the naming pattern and verify the integrity of core WordPress files (
wp core verify-checksums). - Revoke all compromised credentials (admin, FTP/SFTP, database) and enforce MFA.
- Restore from a clean backup taken before the first known infection date. If a backup is unavailable, perform a manual clean‑up: delete the malicious code, reset all salts in
wp-config.php, and rotate all passwords. - Update every theme and plugin to the latest version; consider using a web‑application firewall (WAF) that can block outbound connections to Steam domains.
Why this matters for the broader WordPress ecosystem
The campaign demonstrates that attackers are increasingly willing to piggyback on trusted third‑party platforms for C2. By moving the control channel off‑site, they reduce the risk of takedown and make network‑based detection far more difficult. For organizations that run large numbers of WordPress sites—especially managed hosting providers—the lesson is clear: monitor outbound traffic as closely as you monitor inbound traffic.
Resources
- GoDaddy’s full technical report: [PDF link] (https://www.godaddy.com/security/wordpress-steam-c2-report)
- WordPress hardening guide: https://wordpress.org/support/article/hardening-wordpress/
- Unicode zero‑width character detection script: https://github.com/malwarelab/zero-width-detector
- Steam Community API documentation: https://developer.valvesoftware.com/wiki/Steam_Web_API
Stay vigilant, and remember that the most dangerous payloads are often the ones you can’t see.
Comments
Please log in or register to join the discussion