Stealthy WordPress Malware Campaign Uses Steam Community Profiles to Hide C2 Payloads, Infecting ~2,000 Sites
What Happened – Approximately 2,000 WordPress sites were compromised by a malware family that stores its command‑and‑control (C2) data inside invisible Unicode characters embedded in Steam Community profile comments. The hidden payload is decoded by the site‑side loader, builds a malicious JavaScript URL, and installs a backdoor that accepts base64‑encoded PHP code via specially crafted POST requests.
Why It Matters for TPRM –
- The attack leverages third‑party platforms (Steam) to evade traditional network‑based detections, expanding the attack surface of any organization that hosts WordPress sites.
- Initial infection vectors include stolen admin credentials, compromised FTP/SFTP accounts, vulnerable themes/plugins, and possible supply‑chain compromise, highlighting the need for strong credential hygiene and vendor patch management.
- The malware’s use of standard WordPress APIs and obfuscation techniques makes it difficult for generic web‑application firewalls to block, raising the risk of prolonged undetected compromise.
Who Is Affected – Media & publishing sites, e‑commerce platforms, SaaS portals, and any organization that relies on WordPress as a content management system or front‑end for customer‑facing applications.
Recommended Actions –
- Conduct an inventory of all WordPress installations and verify they are hosted on vendors with robust security controls (e.g., GoDaddy, AWS, Azure).
- Rotate all admin and FTP/SFTP credentials; enforce MFA where possible.
- Apply the latest patches to WordPress core, themes, and plugins; retire unsupported components.
- Deploy file‑integrity monitoring and outbound‑connection filtering to detect calls to Steam Community URLs or unknown JavaScript sources.
- Perform a threat‑hunt for the six invisible Unicode characters (U+200C, U+200D, U+2061‑U+2064) in page source and for the “tEcaKKXEsb” authentication cookie.
Technical Notes – The first‑stage loader fetches Steam profile comments, extracts hidden Unicode characters, maps them to binary, and reconstructs a URL (hello‑myworld.info) that serves a malicious JavaScript library masquerading as legitimate assets (e.g., lodash.core.min.js). The final backdoor activates only when the “tEcaKKXEsb” cookie is present, allowing remote execution of arbitrary PHP. Evasion mechanisms include octal/hex string obfuscation, randomized function names, and disabled‑logging code. Source: BleepingComputer