WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions, Compromising ~1,980 Sites
What Happened — GoDaddy researchers uncovered a WordPress malware campaign that stores encoded command‑and‑control (C2) instructions in public Steam Community profile comments. Infected sites retrieve and decode these comments to receive malicious payloads, with nearly 2,000 WordPress installations identified as compromised.
Why It Matters for TPRM —
- Third‑party web platforms (e.g., WordPress SaaS, managed hosting) can become a covert conduit for threat actors, expanding the attack surface beyond traditional exploits.
- The use of an external, legitimate service (Steam) for C2 makes detection harder for standard security tools, increasing risk of undetected data exfiltration or site takeover.
- Organizations that rely on WordPress‑based vendors must assess whether their supply chain is exposed to this novel abuse technique.
Who Is Affected — Technology & SaaS providers, managed WordPress hosting services, digital agencies, and any downstream customers that consume their web content.
Recommended Actions —
- Conduct a rapid inventory of all WordPress sites within your vendor ecosystem.
- Verify that core, themes, and plugins are up‑to‑date; apply security patches immediately.
- Deploy web‑application firewalls (WAF) with rules to detect outbound requests to Steam domains.
- Review logs for anomalous DNS or HTTP traffic to steamcommunity.com.
- Engage vendors to confirm they have mitigated the malicious code and implemented hardening controls.
Technical Notes — The malware injects a PHP loader that issues HTTP GET requests to Steam profile comment URLs, parses base64‑encoded strings, and executes them as shell commands. No specific CVE is cited; the vector appears to be compromised credentials or vulnerable plugins. Data types at risk include site content, user credentials, and potentially payment information if e‑commerce plugins are present. Source: HackRead