Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile comments using invisible Unicode.
GoDaddy researchers spotted a command-and-control infrastructure for a malware campaign abusing Valve’s Steam gaming platform. The experts discovered malware on approximately 1,980 WordPress sites that fetches its instructions by reading Steam Community profile comments, where the actual payload is hidden using invisible Unicode characters embedded between visible text.
“GoDaddy Security researchers have analyzed malware that uses an unconventional approach to command and control: encoding malicious payloads for WordPress within Steam Community profile comments.” reads the report published by GoDaddy.
From the outside, the comments look like ASCII art. From the inside, they’re encoded instructions telling infected WordPress sites where to load malicious JavaScript from.
The encoding scheme uses six Unicode characters that have no visible representation: zero-width non-joiner, zero-width joiner, function application, invisible times, invisible separator, and invisible plus. The malware strips all visible characters from the Steam comment, maps each invisible character to a number between 0 and 5, converts those numbers to binary, reconstructs bytes from the binary stream, and applies a bitwise NOT operation to each byte.
“This encoding allows binary data to be embedded within normal-looking text.” states the report. “The visible characters serve as camouflage while the invisible characters carry the actual payload.”
In some variants, the decoded output is further protected with AES-256-CTR encryption, PBKDF2 key derivation with 10,000 iterations, and HMAC-SHA256 authentication.
The decoded payload builds a URL pointing to hello-mywordl[.]info, which serves a JavaScript file called lodash.core.min.js. That name is deliberate. It mimics a legitimate, widely used JavaScript library. The malware injects it into every WordPress frontend page via the wp_enqueue_scripts hook using the handle “asahi-jquery-min-bundle,” another name chosen to look like standard infrastructure.
“The script is loaded on every WordPress frontend page via the wp_enqueue_scripts hook.” states the report. “The handle name “asahi-jquery-min-bundle” and filename “lodash.core.min.js” mimic legitimate JavaScript libraries.”
Anyone scanning a site for suspicious scripts would need to look past convincingly named files to find it.
The server-side component is more dangerous than the JavaScript injection. The malware installs a backdoor that listens on every WordPress page load and checks for two specific authentication cookies in incoming POST requests. The first cookie triggers a ping response that tells the attacker the backdoor is still active and returns a version identifier. The second cookie is the destructive one.
«When the tEcaKKXEsb cookie is present, the backdoor accepts base64-encoded PHP code via POST parameter.” states the analysis. “The file modification function searches recursively through plugin and theme directories.»
The attacker sends updated PHP code, and the backdoor searches every plugin and theme file for a marker string, then overwrites matching lines with the new code. This means a partial cleanup that removes the JavaScript injection but leaves the backdoor intact accomplishes almost nothing: the attacker just rewrites the code they want back into whichever file they choose.
The obfuscation runs several layers deep. All string constants in the malware use octal or hexadecimal escape sequences, so a text search for “steamcommunity.com” or “https://” won’t find them. Function and variable names look like random hex strings. There’s a non-functional logging system scattered throughout the code with a hardcoded $enabled = false variable that ensures the logging never actually executes. It exists purely to make the code look like legitimate, carefully written software to anyone scanning it quickly. The malware also uses standard WordPress API calls throughout, which makes behavioral detection harder because everything looks like normal plugin activity.
How the initial infection happens isn’t confirmed. The most likely vectors are stolen WordPress admin credentials, compromised FTP or SFTP access, a vulnerable plugin or theme, or a supply chain compromise. None of those are unusual. What is unusual is what happens after: a multi-stage attack that uses a globally trusted gaming platform as infrastructure, invisible text as data encoding, and a self-updating backdoor that can survive partial remediation.
Detection starts with specific indicators. Any outbound connections from a WordPress server to Steam Community URLs are suspicious. References to hello-mywordl[.]info in loaded scripts are a direct indicator. In PHP files, look for invisible Unicode character arrays containing U+200C, U+200D, or U+2061 through U+2064, or cryptographic functions like hash_pbkdf2 and openssl_decrypt with AES-256-CTR mode appearing in plugin or theme files.
On the network side, POST requests containing cookie names DEpjndDbNc or tEcaKKXEsb, or a POST parameter named new_code, indicate active backdoor use. If you find an infection, restore from a clean backup before the infection date if at all possible. If you can’t, the manual cleanup has to be complete, because the remote code rewriting capability means any component left behind can reinstall everything else.
“Cleanup should prioritize restoration from a known-clean backup predating the infection whenever possible. If backups are unavailable or unreliable, manual remediation requires searching for and removing malicious code from all plugin and theme files, clearing suspicious WordPress transients from the database, verifying that no malicious scripts remain enqueued, and updating WordPress core along with all plugins and themes to current versions.” concludes the report. “The remote code rewriting capability means partial cleanup may be insufficient—attackers can reinstall removed code through the backdoor if any component remains active.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
