According to GoDaddy researchers, around 1,980 WordPress-based sites have been infected with multi-stage malware that uses Steam Community profiles as a command-and-control channel. The malware applies steganography based on invisible Unicode characters to covertly transmit payload URLs and, in its final stage, deploys a full-fledged server-side backdoor with remote PHP code execution. The campaign has reportedly been active since at least July 2025. Owners of WordPress resources are advised to immediately check their logs for connections to Steam Community and the hello-mywordl[.]info domain.
Attack chain: from invisible characters to remote code execution
The initial compromise vector has not yet been established. The researchers suggest several possible scenarios: theft of administrator or FTP/SFTP credentials, supply-chain compromise, as well as exploitation of vulnerable WordPress themes and plugins. The lack of a confirmed vector means that standard protection measures — updating plugins, changing passwords, restricting access — all remain relevant at the same time.
After gaining access, the attackers implant the first component of the malware, which, when pages are loaded, reaches out to specific Steam Community profiles. The key feature of the campaign is the way control data is transmitted. Comments in the Steam profiles look like ordinary text but contain invisible Unicode characters that carry the encoded payload.
Six steganography characters
To encode data, the attackers use six specific Unicode characters:
- U+200C — Zero-width non-joiner
- U+200D — Zero-width joiner
- U+2061 — Function application
- U+2062 — Invisible times
- U+2063 — Invisible separator
- U+2064 — Invisible plus
The malware completely ignores the visible text of the comment and processes only these characters, converting their sequence into binary data. This approach is noteworthy because six characters allow encoding slightly more than 2.5 bits per character (log₂6 ≈ 2.58), which is sufficient for compact transmission of URLs or short commands while remaining completely invisible to a human viewing the Steam profile.
After decoding, the malware extracts the hello-mywordl[.]info domain address, from which it downloads JavaScript code. This script is injected into all pages of the infected site. To evade detection, it uses file names that mimic legitimate libraries: asahi-jquery-min-bundle and lodash.core.min.js.
Server-side backdoor
In the final stage, a backdoor is deployed on the server, waiting for specially crafted POST requests. It is activated only when a specific authentication cookie is present — without it, the backdoor remains inactive, making it harder to detect during scans. Once successfully authenticated, the attackers can send PHP code encoded in Base64 to the server and execute it remotely. In practice, this gives them full control over the server.
Evasion techniques
The campaign showcases a well-thought-out set of cloaking methods. According to GoDaddy researchers, the malware uses string obfuscation via hexadecimal and octal sequences, randomly generated function names, and extensive use of standard WordPress APIs. The latter technique is particularly effective: malicious activity is blended with legitimate WordPress calls, making it almost indistinguishable from normal CMS operation when analyzing logs without specialized tools.
The choice of Steam Community as control infrastructure adds another layer of obfuscation. Traffic to Steam does not raise suspicion in most filtering systems, and the platform itself is not directly controlled by the attackers, which complicates blocking on the defender’s side. At the same time, the attackers can quickly change the content of comments, updating payload URLs without needing to regain access to infected sites.
Impact assessment
The scale of roughly 1,980 infected sites, according to a single source, points to a large-scale automated campaign. WordPress holds more than 40% of the CMS market, and infected resources can belong to a wide range of sectors — from small businesses to media and e-commerce. The presence of a full-featured backdoor with remote code execution means compromised servers can be used for further attacks: hosting phishing pages, redirecting visitors to malicious resources, stealing data from WordPress databases, or using server resources for traffic proxying.
Indicators of compromise and recommendations
To detect an infection, the following indicators should be checked:
- Outgoing requests to Steam Community domains (steamcommunity.com) from server-side scripts
- Connections to the hello-mywordl[.]info domain
- Suspicious JavaScript files with names mimicking popular libraries (
asahi-jquery-min-bundle,lodash.core.min.js) - Presence of invisible Unicode characters (U+200C, U+200D, U+2061–U+2064) in site code
- Unusual
_transient_caption_entries in the WordPress database - Disabled SSL verification in cURL requests
- POST requests with a
new_codeparameter
Practical response steps:
- Check server logs for the listed indicators using
grepor similar tools - Search for invisible Unicode characters in theme and plugin files:
grep -rP '[\x{200C}\x{200D}\x{2061}-\x{2064}]' /path/to/wordpress/ - Change all administrative passwords and FTP/SFTP access keys
- Update WordPress, all plugins, and themes to the latest versions
- If an infection is found, restore files from a known-clean backup rather than trying to “clean out” the malware manually
- Block outgoing connections to hello-mywordl[.]info at the firewall or WAF level
Given that the initial attack vector has not been established and the backdoor provides full remote control over the server, WordPress site owners should prioritize checking for the listed indicators of compromise. Pay particular attention to JavaScript files with atypical names and outgoing connections to Steam Community from the server environment: these signs most reliably distinguish this campaign from other WordPress malware.
