A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community.
Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel.
The malware works in two stages. First, it injects malicious JavaScript into the front end of a compromised WordPress website, serving harmful content to every visitor who lands on the page.
Second, it plants a server-side backdoor that gives attackers persistent remote access, allowing them to modify WordPress plugin and theme files without any visible trace of the intrusion.
GoDaddy security researchers identified this campaign, noting it was first detected in July 2024 and has since been found across approximately 1,900 WordPress sites.
shared with Cyber Security News (CSN) that threat actors are deliberately disguising their infrastructure behind Valve’s trusted gaming platform rather than maintaining obviously malicious servers that could be flagged and taken down quickly.
What makes this campaign particularly difficult to detect is how the malware conceals its payloads. It uses invisible Unicode characters, a technique known as steganography, to encode malicious data within Steam profile comment text.
Since those hidden characters look like completely normal text on the surface, traditional text-based scanning tools are far less likely to catch them during routine checks.
The reach of this campaign is significant. Compromised websites unknowingly serve injected scripts to every visitor, exposing real users to potential harm. For site owners, the damage runs deeper, as the backdoor gives attackers the ability to rewrite site code even after partial cleanup attempts.
The core of this attack relies on a PHP function embedded within the compromised WordPress installation.
When any page on the infected site loads, the malware sends an HTTP request to a Steam Community profile page using cURL, scrapes comment text from that profile, and decodes hidden payloads embedded inside it.
The malware has been observed fetching profiles such as steamcommunity.com/profiles/76561199096946028 and caches extracted content using WordPress transients with a five-minute expiration window.
![PublicWWW results showing websites loading hello-mywordl[.]info (Source - GoDaddy)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH2SZ8NWQlw-4NVtrB54di88HVt-KvflUQEyvVKfXx_ItznOSi_pczAZ5wcTPnE6A4sdghLZ9HH_YWR-mzinryUZKNrBvvZ7vvOpQTJwtYkPHBDU8QwHJH0fPFOh9AYbJgOYiVDIWa0AHSuEgRysap1Jkh9i1UcuD-emg_TPwTYQNOSC1nMCSgK6pWJWo/s16000/PublicWWW%20results%20showing%20websites%20loading%20hello-mywordl%5B.%5Dinfo%20(Source%20-%20GoDaddy).webp)
The decoded data becomes a JavaScript URL injected into every front-end page via the wp_enqueue_script hook, under the deceptive handle name “asahi-jquery-min-bundle” designed to mimic a legitimate library.
The decoded external URL observed during analysis pointed to hello-myworld[.]info, which serves the final malicious JavaScript payload to site visitors.
Stealthy Backdoor Enables Remote Code Execution
The server-side component is just as dangerous as the front-end injection. A backdoor function registered through WordPress’s template_redirect hook listens for POST requests containing specific authentication cookies.
When those cookies are present, the backdoor either confirms it is active by returning a version string, or accepts base64-encoded PHP code and rewrites plugin and theme files across the entire WordPress installation.
This remote code execution capability means that even if a site owner removes part of the infection, attackers can reinstall deleted code through the still-active backdoor.
The malware protects this channel using AES-256-CTR encryption with PBKDF2 key derivation based on SHA-512 and 10,000 iterations, along with HMAC-SHA256 authentication to verify each incoming payload.
To evade detection, the malware layers multiple obfuscation techniques. All string constants are encoded using octal or hexadecimal escape sequences, function and variable names follow a randomized mixed-case hexadecimal style, and a disabled logging function is scattered through the code to mimic legitimate debugging infrastructure without ever executing.
Site administrators who suspect an infection should enable maintenance mode right away and back up the compromised installation before making any changes.
All WordPress credentials including admin passwords, database access, FTP credentials, and SSH keys must be rotated. Cleanup must cover every plugin and theme file, since partial removal is not enough given the backdoor’s ability to remotely restore deleted code.
Suspicious transient cache entries with the prefix transient_caption and enqueued external scripts pointing to unknown domains should be removed.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | https://steamcommunity.com/profiles/76561199096946028/ | Steam profile used to host encoded C2 payloads |
| URL | https://steamcommunity.com/id/ravypadliha | Steam profile observed during malware fetching |
| URL | https://steamcommunity.com/id/enomisvool123/ | Steam profile observed during malware fetching |
| URL | https://steamcommunity.com/id/eremohnf342 | Steam profile observed during malware fetching |
| Domain | hello-myworld[.]info | External domain serving the decoded malicious JavaScript payload |
| Cookie Name | DEpjndDbNc | Authentication cookie used to trigger backdoor ping/keepalive response |
| Cookie Name | tEcaKKXEsb | Authentication cookie used to trigger remote code execution via backdoor |
| File Path | /wp-content/themes/gt3-child/functions.php | File path where malware was initially discovered |
| Handle Name | asahi-jquery-min-bundle | Deceptive script handle name used to inject malicious JavaScript |
| Transient Prefix | transient_caption | WordPress transient cache prefix used to store C2 data |
| Function Name | Ce8d26cADf211699 | PHP function responsible for fetching Steam profile content |
| Function Name | EdF20922Ff709e68 | PHP function performing cryptographic decoding of payloads |
| Function Name | G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 | PHP function injecting decoded script into WordPress front end |
| Function Name | mpzZYIbGOb | PHP backdoor handler function registered via template_redirect |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
