top of page
perceptive_background_267k.jpg

WordPress malware campaign hides payloads in Steam profiles

Published:

1 juni 2026 om 17:04:16

Alert date:

1 juni 2026 om 18:04:01

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware

A malware campaign infected nearly 2,000 WordPress websites using Steam Community profile comments to hide command-and-control data. The attack demonstrates a novel technique of abusing legitimate gaming platform profiles as infrastructure for malicious operations. The campaign targets WordPress sites specifically and uses Steam profiles as a covert communication channel. This represents an innovative approach to C2 infrastructure that leverages trusted platforms to evade detection. The scale of infections across thousands of WordPress sites indicates an active and widespread threat.

Technical details

Malware campaign targeting WordPress websites uses Steam Community profile comments to hide command-and-control data. The malware uses invisible Unicode characters (U+200C, U+200D, U+2061, U+2062, U+2063, U+2064) to encode payloads disguised as ASCII art. The decoder maps invisible characters to numbers, converts to binary representation and reconstructs bytes. The decoded payload builds URLs to hello-mywordl[.]info serving JavaScript code injected into WordPress pages. Final stage implements a backdoor responding to POST requests with specific authentication cookie 'tEcaKKXEsb'. Malware disguised as legitimate JavaScript libraries (asahi-jquery-min-bundle, lodash.core.min.js) and uses obfuscated strings, randomized function names, and standard WordPress APIs for evasion.

Mitigation steps:

Check for references to Steam Community URLs in WordPress code
Monitor for suspicious external JavaScript injections
Monitor outbound connections from WordPress servers to Steam
Check for unexpected scripts loading from hello-mywordl[.]info domain
Look for invisible Unicode characters in content
Monitor for suspicious _transient_caption_ cache entries
Check for disabled SSL verification in cURL requests
Monitor POST requests containing tEcaKKXEsb cookie or new_code parameter
Restore from known good backup before infection date
Perform thorough manual cleaning if backup restoration not possible
Ensure complete removal of all malware components to prevent reinstallation through backdoor

Affected products:

WordPress websites (approximately 1
980 sites infected)
WordPress themes and plugins (vulnerable versions unspecified)

Related links:

https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles

Related CVE's:

Related threat actors:

IOC's:

hello-mywordl[.]info, tEcaKKXEsb (authentication cookie), new_code parameter in POST requests, _transient_caption_ cache entries, Unicode characters U+200C, U+200D, U+2061, U+2062, U+2063, U+2064, asahi-jquery-min-bundle (malicious JavaScript filename), lodash.core.min.js (malicious JavaScript filename), Steam Community URLs in WordPress code, Disabled SSL verification in cURL requests

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page