HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Stealthy WordPress Malware Campaign Uses Steam Community Profiles to Hide C2 Payloads, Infecting ~2,000 Sites

A novel WordPress malware family embeds command‑and‑control data inside invisible Unicode characters in Steam Community profile comments, compromising nearly 2,000 sites. The technique evades typical detection, leverages stolen credentials or vulnerable plugins, and installs a backdoor that executes arbitrary PHP code. TPRM teams must reassess WordPress vendor controls and credential hygiene.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

Stealthy WordPress Malware Campaign Uses Steam Community Profiles to Hide C2 Payloads, Infecting ~2,000 Sites

What Happened – Approximately 2,000 WordPress sites were compromised by a malware family that stores its command‑and‑control (C2) data inside invisible Unicode characters embedded in Steam Community profile comments. The hidden payload is decoded by the site‑side loader, builds a malicious JavaScript URL, and installs a backdoor that accepts base64‑encoded PHP code via specially crafted POST requests.

Why It Matters for TPRM

  • The attack leverages third‑party platforms (Steam) to evade traditional network‑based detections, expanding the attack surface of any organization that hosts WordPress sites.
  • Initial infection vectors include stolen admin credentials, compromised FTP/SFTP accounts, vulnerable themes/plugins, and possible supply‑chain compromise, highlighting the need for strong credential hygiene and vendor patch management.
  • The malware’s use of standard WordPress APIs and obfuscation techniques makes it difficult for generic web‑application firewalls to block, raising the risk of prolonged undetected compromise.

Who Is Affected – Media & publishing sites, e‑commerce platforms, SaaS portals, and any organization that relies on WordPress as a content management system or front‑end for customer‑facing applications.

Recommended Actions

  • Conduct an inventory of all WordPress installations and verify they are hosted on vendors with robust security controls (e.g., GoDaddy, AWS, Azure).
  • Rotate all admin and FTP/SFTP credentials; enforce MFA where possible.
  • Apply the latest patches to WordPress core, themes, and plugins; retire unsupported components.
  • Deploy file‑integrity monitoring and outbound‑connection filtering to detect calls to Steam Community URLs or unknown JavaScript sources.
  • Perform a threat‑hunt for the six invisible Unicode characters (U+200C, U+200D, U+2061‑U+2064) in page source and for the “tEcaKKXEsb” authentication cookie.

Technical Notes – The first‑stage loader fetches Steam profile comments, extracts hidden Unicode characters, maps them to binary, and reconstructs a URL (hello‑myworld.info) that serves a malicious JavaScript library masquerading as legitimate assets (e.g., lodash.core.min.js). The final backdoor activates only when the “tEcaKKXEsb” cookie is present, allowing remote execution of arbitrary PHP. Evasion mechanisms include octal/hex string obfuscation, randomized function names, and disabled‑logging code. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →