8 June 2026 WordPress Security

Hackers Are Hiding Malware Commands Inside Steam Game Profiles — 1,980 WordPress Sites Caught

Security researchers at GoDaddy have uncovered a stealthy malware campaign that has infected approximately 1,980 WordPress websites worldwide — and it communicates with attackers by reading comments on public Steam gaming profiles, hiding instructions inside invisible Unicode characters that no human eye can detect.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

GoDaddy Researchers Uncover a Novel WordPress Malware Campaign

In early June 2026, GoDaddy's security engineering team published detailed findings on a malware campaign that had been quietly operating since at least July 2025. Their researchers discovered that approximately 1,980 WordPress websites were infected with malicious code — code that communicates with its operators not through a dedicated server or darknet host, but through comments on public Steam Community gaming profiles.

The campaign is notable less for its scale than for its method. Most WordPress malware uses either a hard-coded command-and-control (C2) IP address or a domain registered specifically for malicious use. Security teams can block those. This campaign uses Valve's Steam platform — one of the most visited gaming services on the internet — to deliver instructions, blending malicious traffic into what looks like ordinary visits to a legitimate, globally trusted website.

According to GoDaddy's published analysis, the malware hides its C2 payload inside Steam profile comments using Unicode steganography: six invisible Unicode characters that are undetectable in any browser or standard text editor but carry binary data that reassembles into functional malicious instructions. The campaign also deploys a server-side PHP backdoor, meaning attackers retain persistent access to infected sites even after partial cleanup attempts.

The initial infection vector has not been definitively identified. GoDaddy's researchers assess the most likely entry points as stolen WordPress administrator credentials, compromised FTP or SFTP access credentials, exploitation of a vulnerable plugin or theme, or a supply-chain compromise of a plugin itself. The campaign's longevity — running covertly for nearly a year before broad public disclosure — indicates either significant operational security on the part of the threat actors or, more likely, that most site owners simply had no detection mechanism in place to catch it.

Security reporting on this campaign has been corroborated by BleepingComputer, SecurityAffairs, and TechRadar, each independently confirming the 1,980-site figure and the Steam-based C2 mechanism from GoDaddy's primary research.

Why This Campaign Is Directly Relevant to Australian Small Businesses

WordPress powers approximately 43% of all websites globally. Among Australian small businesses, the figure is likely higher — WordPress is the dominant content management platform for SMBs that need a flexible, cost-effective web presence without employing a full-time developer. Any WordPress malware campaign operating at scale is, by statistical default, affecting a significant number of Australian sites.

The campaign's longevity amplifies this concern. From July 2025 to June 2026, approximately 1,980 sites carried active malware with persistent backdoor access while their owners remained unaware. For an Australian small business, the downstream consequences of a compromised website extend well beyond a defaced homepage.

Under the Notifiable Data Breaches (NDB) scheme administered by the Office of the Australian Information Commissioner (OAIC), if a compromised WordPress site has processed customer data — bookings, contact form submissions, WooCommerce purchases — the business may have mandatory reporting obligations once it becomes aware of the breach. The Privacy Act 1988 imposes civil penalties for failure to notify. A backdoored site that has been quietly collecting or exfiltrating data for months creates a compliance exposure that most SMB owners do not anticipate when they discover the infection.

Beyond compliance, a compromised site can be used to redirect visitors to phishing pages, inject card-skimming scripts into WooCommerce checkout flows, distribute malware to site visitors, or host content for black-hat SEO purposes that silently destroys the site's search rankings over time. The server-side backdoor documented by GoDaddy allows attackers to rewrite plugin and theme files at will — meaning an attacker with persistent access could deploy any of these secondary payloads at any point after initial compromise.

The Australian Signals Directorate's Annual Cyber Threat Report 2024–2025 recorded a cyberattack occurring every six minutes against Australian businesses, with small businesses accounting for a disproportionate share of incidents. The ASD's ACSC recommends "patch applications" and "restrict administrative privileges" as two of the eight core mitigations in the Essential Eight framework — both directly relevant to how campaigns like this one gain and maintain access. Site owners who have not applied recent WordPress updates, or who use the same credentials across multiple services, remain at elevated risk.

How the Malware Works: Invisible Text, AES Encryption, and a Persistent Backdoor

GoDaddy's researchers describe a two-stage payload architecture designed to provide both immediate visitor impact and long-term persistent server access. Understanding the mechanics helps site owners know exactly what to look for during a manual inspection.

Stage 1: JavaScript Injection and Steam Profile Polling

The malware injects a malicious JavaScript snippet into the front end of the compromised WordPress site. When any visitor loads a page, this script fetches a specific Steam Community profile and reads its comment section. To a casual observer — or a security scanner expecting conventional indicators — those comments appear to be ordinary text.

The actual C2 payload is concealed using Unicode steganography. GoDaddy's analysis identified six invisible Unicode characters used as the encoding alphabet:

Zero-width non-joiner (U+200C)
Zero-width joiner (U+200D)
Function application (U+2061)
Invisible times (U+2062)
Invisible separator (U+2063)
Invisible plus (U+2064)

These characters are invisible in any browser or standard text editor. The malware maps each character to a number, converts the sequence to binary, and reassembles it into a functional payload. The payload may optionally be protected with AES-256-CTR encryption using PBKDF2 key derivation and HMAC authentication — cryptographic standards identical to those used in legitimate security software, repurposed here to conceal malicious instructions from traffic inspection tools.

The result is a C2 channel that routes entirely through Steam's infrastructure. DNS blocklists won't flag Steam. Threat intelligence feeds don't mark Valve's servers as malicious. Standard web application firewall rules targeting obvious command-and-control domains won't catch outbound connections to store.steampowered.com or steamcommunity.com. The attacker has effectively borrowed the trust of one of the internet's most recognised platforms.

Stage 2: The Server-Side Backdoor

The second component is a PHP backdoor planted in a WordPress plugin or theme file on the compromised server. This backdoor authenticates via a specific HTTP cookie, and researchers identified two cookie names associated with this campaign: DEpjndDbNc and tEcaKKXEsb.

An attacker sends a POST request to the compromised site containing a base64-encoded PHP payload in a parameter named new_code. The backdoor decodes and executes that payload directly on the server, enabling arbitrary code execution without any further authentication. This allows attackers to modify plugin and theme files, exfiltrate the WordPress database, create new administrator accounts, or redirect the site entirely.

GoDaddy's researchers explicitly warn that this two-stage design makes partial cleanup ineffective: "Attackers can reinstall removed code through the backdoor if any component remains active." Removing the injected JavaScript without also finding and removing the PHP backdoor — or vice versa — leaves the attacker with an active re-infection path.

A secondary delivery domain identified in the campaign is hello-mywordl[.]info, which appears in loaded scripts on some compromised sites and should be treated as an indicator of compromise if found in server access logs or Content Security Policy violation reports.

How to Detect and Remove This Malware from Your WordPress Site

GoDaddy's research provides specific, actionable indicators that Australian site owners can check today. The following checklist covers both automated and manual detection paths.

File System Indicators

Search PHP files in the wp-content/plugins and wp-content/themes directories for invisible Unicode character sequences. Because these characters don't render visibly, you'll need a tool that can inspect raw byte values — or search for the specific Unicode code points U+200C, U+200D, U+2061, U+2062, U+2063, or U+2064 in file contents.

Also look for cryptographic function calls — specifically hash_pbkdf2 and openssl_decrypt with aes-256-ctr mode — appearing in plugin or theme files where they have no legitimate business. No standard WordPress plugin uses these constructs in the way this malware does.

Network and Log Indicators

Review your server's access logs for the following patterns:

Outbound connections from your WordPress server to Steam Community URLs (steamcommunity.com)
POST requests containing cookie names DEpjndDbNc or tEcaKKXEsb
POST requests with a parameter named new_code — a direct indicator of backdoor usage
Any reference to the domain hello-mywordl[.]info in loaded scripts or server logs

Database Indicators

Check for suspicious _transient_caption_ cache entries in the WordPress options table, and for invisible Unicode characters stored in the database — attackers sometimes stage payload components in the transients table to survive file-level cleanup.

Cleanup Process

GoDaddy recommends restoring from a known-clean backup taken before July 2025 as the cleanest remediation path. If no such backup exists, manual cleanup requires removing all backdoor files, rotating all credentials (WordPress admin accounts, database passwords, FTP/SFTP access, hosting control panel logins, and SSH keys), and reviewing server logs for evidence of backdoor usage before declaring the site clean.

For site owners not confident performing a manual forensic cleanup, a professional website security service is a practical alternative. Sucuri's website security platform offers automated malware scanning, professional malware removal, and a web application firewall (WAF) that can block the kind of unusual outbound connections this campaign relies on. Sucuri's SiteCheck scanner can detect injected JavaScript and known backdoor patterns as part of a routine scan schedule — the kind of continuous monitoring that would flag this campaign earlier in its lifecycle rather than after months of silent operation.

Running a malware scan only after a suspected compromise is a reactive posture. For an Australian small business with customer data flowing through WordPress, scheduling automated weekly scans is closer to the standard of care the OAIC would expect under the Notifiable Data Breaches framework.

Building a Defence Stack That Catches What Signatures Miss

The Steam C2 WordPress malware campaign illustrates a pattern that will appear with increasing frequency: sophisticated threat actors routing malicious traffic through legitimate, trusted platforms to evade conventional detection. DNS blocklists won't catch Steam. Email-based threat intelligence feeds won't flag Valve's servers. Signature-based malware scanners relying on known malicious domains or IP ranges will miss a campaign that encodes its payload in invisible Unicode characters embedded in gaming profile comments.

For Australian SMBs managing WordPress sites, defence needs to operate across several independent layers.

Update Discipline Is Non-Negotiable

The ACSC's Essential Eight rates "patch applications" as a core mitigation. For WordPress, this means applying updates to core, themes, and all plugins within 48 hours of release — not waiting for the monthly maintenance window. The most common initial infection vectors for campaigns of this type are credentials obtained through phishing or credential-stuffing attacks, and vulnerable plugins or themes that haven't been patched. Most exploited WordPress vulnerabilities have patches available before exploitation begins; the window of exposure is a maintenance decision, not an unavoidable risk.

Restrict Administrator Privileges

The WordPress dashboard should not be accessible from the public internet without additional controls. Restricting wp-admin access by IP allowlist, adding HTTP authentication at the server level, or requiring VPN access for administrative logins significantly reduces the attack surface. The ASD's Essential Eight specifically recommends restricting administrative privileges as a separate mitigation — it limits what an attacker can do even after obtaining valid credentials.

File Integrity Monitoring

Deploying a file integrity monitoring tool at the server level means any modification to a plugin or theme file generates an alert, regardless of whether that modification came through the WordPress admin interface, a compromised plugin update, or a backdoor POST request. This is the class of detection that would catch the Stage 2 backdoor of this campaign in near-real time, rather than months later.

Web Application Firewall with Outbound Inspection

A web application firewall positioned in front of a WordPress site can inspect both inbound and outbound traffic. The Steam C2 campaign's client-side JavaScript makes outbound connections to Steam Community URLs that are atypical for a normal WordPress site. A WAF configured to flag or block unusual outbound connection patterns — or one with specific rules for known malware campaign indicators — would interrupt the C2 communication channel even if the initial infection was not prevented.

Sucuri's platform combines WAF protection, continuous malware scanning, and incident response in a single managed service — a practical fit for SMBs without a dedicated security team. The WAF component specifically addresses the outbound communication pattern this campaign relies on, and the scanning layer monitors for the file-level backdoor indicators GoDaddy documented.

The broader lesson from this campaign is that the WordPress threat landscape has matured beyond opportunistic plugin exploits into more deliberate, multi-stage operations. Threat actors are investing in evasion — using trusted platforms, invisible encoding, and encrypted communications to extend their access window. Australian site owners who treat website security as a one-off configuration task rather than a continuous operational practice are increasingly exposed to campaigns designed specifically to survive that assumption.