A new WordPress malware campaign has been found using an unusual hiding place for its command instructions: Steam Community profile comments. According to research published by GoDaddy Security, the malware stores encoded data inside comments on Steam profiles, then uses infected WordPress sites to fetch and decode that data during normal page activity.
The method allows attackers to place command-and-control data on a trusted public platform without hosting an obvious malicious server. GoDaddy said the campaign was first detected in July 2025 and has been seen on about 1,980 WordPress sites. The affected sites load external JavaScript for visitors and also contain a backdoor that can modify PHP files on the site.
According to GoDaddy’s technical blog post, once planted, the malware can pull hidden instructions from Steam, inject a remote script into public pages, and keep a server side access path available for future changes. That combination gives the operator both visitor facing reach and ongoing control over infected WordPress files.
The Steam side of the operation works through profile comments that appear harmless to the general public. However, GoDaddy’s analysis found that the malware extracts content from Steam’s commentthread_comment_text section, then looks for invisible Unicode characters hidden among visible text. Those invisible characters carry the real payload.
The process is easier to understand when stripped of the code. The Steam comment shows ordinary text to anyone viewing it, but hidden characters inside the comment carry the real instructions. The malware reads those hidden characters, turns them back into usable commands, and can also unlock them with built in encryption before using them.
Once decoded, the malware uses the result to build a URL and load an outside JavaScript file on WordPress pages. In the sample analyzed by GoDaddy, the script was loaded through WordPress’s wp_enqueue_script function using the handle asahi-jquery-min-bundle. The observed external script path used the domain hello-mywordl.info and a filename made to resemble a common JavaScript library, lodash.core.min.js.
GoDaddy also found a cookie-authenticated backdoor that listens for POST requests. One cookie acts as a ping mechanism, returning an “OK” response and a version value. Another cookie allows the attacker to send base64 encoded PHP code through a POST parameter named new_code.
That second function is the more serious piece. The backdoor searches plugin and theme directories for a known marker string connected to the script injection function, then replaces the matching line with attacker supplied code. In practical terms, the operator can update the malware, change the injected script, or restore removed code if a cleanup misses part of the infection.
The malware is also written to avoid easy spotting. GoDaddy noted that strings are hidden with hexadecimal and octal escapes, while function names use random looking mixed case identifiers.
It also uses normal WordPress functions, including add_action, wp_enqueue_script, get_transient, set_transient, file_get_contents, and file_put_contents. The use of familiar APIs can make the code look less suspicious during a quick review.
GoDaddy researchers found one sample of the malware inside a child theme file, but the code is not limited to that location and could be planted in other WordPress PHP files. The company did not link the infections to one specific WordPress flaw.
The more likely path, based on the findings, is that attackers first gained access through stolen admin logins, exposed FTP or SFTP accounts, vulnerable plugins or themes, or compromised third party code.
Administrators checking for this malware should look for references to steamcommunity.com inside plugin and theme files, invisible Unicode character arrays such as U+200C, U+200D, and U+2061 through U+2064, and use of cryptographic functions such as hash_pbkdf2 and openssl_decrypt with AES 256 CTR. Disabled SSL verification in cURL settings is another warning sign.
Network logs may also help. WordPress servers making unexpected outbound requests to Steam Community profiles should be reviewed, as should pages loading JavaScript from nonstandard domains. GoDaddy also noted suspicious WordPress transient cache entries using a transient_caption prefix, along with POST requests carrying the cookie names DEpjndDbNc or tEcaKKXEsb.
This campaign is notable because it turns a public gaming profile into a storage point for hidden malware instructions. The technique does not make WordPress compromise new, but it does show how attackers can use legitimate platforms to make malicious traffic harder to judge at first sight.
Malware and Comments
This is not the first case of attackers abusing comment sections to hide malware instructions. In June 2017, Russian hackers were reported to have used posts on Britney Spears’ official Instagram account to control malware, showing how public platforms can be misused as covert communication channels.
This pattern has appeared in other campaigns, too. In March 2018, attackers used YouTube comments to distribute password-stealing malware. In April 2024, scammers abused GitHub comments to post links disguised as Microsoft software downloads, tricking users into installing malware.
Expert Insights:
“The extensive use of obfuscation and steganographic techniques shows a clear desire by threat actors to cover their tracks and maintain access to infected sites,” said William Wright, CEO of Closed Door Security.
“The use of public Steam content in lieu of traditional command-and-control infrastructure is likely part of this effort, allowing the platform to act as a cheap alternative to overt hosting infrastructure.”
“Because the malware can maintain persistence inside servers, infected sites need to be restored from known clean backups. Site admins should be wary of outbound connections to unexpected domains, even if they are legitimate,” warned Wright
