299/69 Thursday, June 4, 2026
Security researchers at GoDaddy have reported the discovery of malware infecting approximately 1,980 WordPress websites. The malware uses the Valve Corporation Steam Community platform as its Command-and-Control (C2) infrastructure. Instead of communicating with traditional malicious servers, the malware retrieves commands from comments posted on Steam user profiles. While these comments appear to contain ordinary messages or ASCII art, they secretly embed malicious payloads and instructions using invisible Unicode characters, directing infected websites to load JavaScript from attacker-controlled sources.
Analysis revealed that the malware employs data-hiding techniques based on non-printable Unicode characters, including zero-width characters and invisible operators. The malware removes visible text from Steam comments and converts the hidden Unicode characters back into binary data, which is then decoded into operational commands. Some variants further protect their communications using AES-256-CTR encryption, PBKDF2 key derivation, and HMAC-SHA256 authentication, making analysis significantly more difficult. Once decoded, the payload generates a URL pointing to the domain hello-mywordl[.]info, from which it downloads a JavaScript file named lodash.core.min.js. The filename is intentionally designed to resemble a legitimate JavaScript library. The script is then injected into WordPress frontend pages through the wp_enqueue_scripts hook.
GoDaddy warned that the server-side component of the malware presents an even greater risk because it includes a persistent backdoor that executes whenever a WordPress page is loaded. The backdoor monitors specific cookies in HTTP POST requests and, when triggered, allows attackers to submit Base64-encoded PHP code capable of modifying plugin and theme files. As a result, simply removing the malicious JavaScript may not be sufficient, since the backdoor can reinfect the website. For detection and remediation, administrators should look for connections from WordPress servers to Steam Community URLs, references to the domain hello-mywordl[.]info, invisible Unicode characters embedded in PHP files, suspicious cryptographic functions, and cookies or POST parameters associated with the backdoor. If compromise is confirmed, organizations should restore from a known-clean backup created before the infection, remove all malicious code from plugin and theme files, and update WordPress Core, plugins, and themes to their latest versions.