Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.

The threat actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve's platform, the attacker avoids maintaining a separate C2 infrastructure and evades traditional detection methods.

Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.

It is unclear how the hackers breach the websites, but researchers assess that the initial infection vector ranges from stolen admin logins or compromised FTP/SFTP credentials to the exploitation of a vulnerable WordPress theme or plugin, or a supply-chain compromise.

The first-stage malware planted on a website uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments.

However, the text includes hidden Unicode characters that conceal malicious payloads sometimes disguised as ASCII art.

GoDaddy researchers note in a report that the threat actor uses six invisible Unicode characters for the encoded payload:

• Zero-width non-joiner (U+200C)
• Zero-width joiner (U+200D)
• Function application (U+2061)
• Invisible times (U+2062)
• Invisible separator (U+2063)
• Invisible plus (U+2064)

The decoder ignores any visible character and maps the invisible ones to a corresponding number; then it converts them to binary representation and reconstructs bytes from the binary stream.

“This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy says.

According to the researchers, the decoded payload is used to build a hello-mywordl[.]info URL serving JavaScript code that is injected into every frontend WordPress page.

Based on the file names (e.g., asahi-jquery-min-bundle and lodash.core.min.js), the retrieved malware is disguised as a legitimate JavaScript library.

The final stage of the attack is implementing a backdoor that responds to specially crafted POST requests that include a specific authentication cookie. If the "tEcaKKXEsb cookie is present, the backdoor accepts base64-encoded PHP code via POST parameter," the researchers explain.

GoDaddy describes several evasion mechanisms employed by the malware, including obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and the use of standard WordPress APIs, allowing it to blend with normal activity.

Site owners can defend by checking for references to Steam Community URLs, suspicious external JavaScript injections, outbound connections from WordPress servers to Steam, and unexpected scripts loading from domains such as hello-mywordl[.]info.

Other indicators include invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware's authentication cookies or the new_code parameter.

The researchers recommend that security teams prioritize restoring from a known good backup before the infection date. If this is not possible, the manual cleaning process should be thorough because "attackers can reinstall removed code through the backdoor if any component remains active."