WordPress Malware Hides C2 Instructions in Steam Profile Comments, Evading Detection
What Happened — A newly identified WordPress malware family retrieves its command‑and‑control (C2) instructions from public Steam profile comment threads. By parsing innocuous‑looking Steam comments, the payload obtains encrypted commands, allowing it to operate under the radar of conventional web‑filtering and endpoint tools. The technique has been observed across multiple compromised WordPress sites in the wild.
Why It Matters for TPRM —
- Managed WordPress hosting providers may inadvertently expose client sites to this stealthy malware.
- Leveraging a mainstream gaming platform for C2 defeats many network‑based detection signatures.
- Organizations that depend on WordPress‑driven SaaS applications face heightened risk of data loss, defacement, or lateral movement.
Who Is Affected — SaaS platforms, managed WordPress hosting services, e‑commerce sites, media outlets, and any enterprise that integrates WordPress as a content layer.
Recommended Actions — Conduct a full inventory of WordPress instances, scan for the malicious code pattern, enforce outbound traffic restrictions to Steam domains, apply the latest WordPress core and plugin updates, and deploy a WAF rule to block suspicious comment‑fetch requests.
Technical Notes — The malware uses WordPress’s wp_remote_get() function to request Steam profile comment pages, extracts hidden markers, decodes base64‑encoded commands, and executes them on the compromised host. No CVE is associated; the attack exploits legitimate API calls rather than a software flaw. Exfiltrated data may include site content, user credentials, and uploaded files. Source: HackRead