Nearly 2,000 WordPress websites were infected with malware that hides command-and-control data inside Steam Community profile comments, GoDaddy security engineers reported after uncovering the campaign in July 2025.
GoDaddy findings: scope, timeline, and uncertain entry point
GoDaddy's security team traced the campaign to roughly 1,980 infected WordPress sites. The company says the campaign was first discovered in July 2025 but that the exact initial infection vector remains unclear. Researchers list plausible routes consistent with the observed implants: stolen administrator logins, compromised FTP/SFTP credentials, exploitation of a vulnerable WordPress theme or plugin, or a supply-chain compromise.
Steam Community profile comments: the covert C2 channel
The first-stage malware on compromised WordPress pages reaches specific Steam Community profiles and extracts text from seemingly benign comments. Hidden inside that visible text are invisible Unicode characters that the malware decodes into payload data. GoDaddy researchers emphasize that by leveraging Valve's platform the attacker avoids maintaining a separate command-and-control infrastructure and evades traditional detection methods.
Invisible Unicode encoding: six characters, one binary stream
GoDaddy identified six invisible Unicode characters used by the attacker to encode payloads:
- Zero-width non-joiner (U+200C)
- Zero-width joiner (U+200D)
- Function application (U+2061)
- Invisible times (U+2062)
- Invisible separator (U+2063)
- Invisible plus (U+2064)
The malware's decoder ignores visible characters, maps each invisible character to a number, converts that sequence into a binary representation, and reconstructs bytes from the binary stream. “This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy writes.
Decoded payload, JavaScript loader, and PHP backdoor
According to the researchers, the decoded payload is used to construct URLs pointing to hello-mywordl[.]info. That domain serves JavaScript code which the compromise injects into every front-end WordPress page. The retrieved JavaScript is disguised using file names such as asahi-jquery-min-bundle and lodash.core.min.js to appear like legitimate libraries.
The campaign's final stage implements a backdoor that responds to specially crafted POST requests carrying a specific authentication cookie. If the tEcaKKXEsb cookie is present, the backdoor accepts base64-encoded PHP code via a POST parameter, allowing the attacker to execute code on the server.
Evasion techniques and forensic indicators
GoDaddy details multiple evasion mechanisms the threat actor employs: obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and reliance on standard WordPress APIs so malicious activity blends with routine operations. The researchers also highlight forensic indicators defenders can hunt for:
- References to Steam Community profile URLs in WordPress page loads
- Suspicious external JavaScript injections or outbound connections from WordPress servers to Steam
- Unexpected scripts loading from domains such as hello-mywordl[.]info
- Presence of invisible Unicode characters in comments or content
- Suspicious _transient_caption_ cache entries
- Disabled SSL verification in cURL requests
- POST requests containing the tEcaKKXEsb authentication cookie or a new_code parameter
On remediation, the researchers recommend prioritizing restoration from a known-good backup made before the infection date. If restoration is not possible, they warn that manual cleaning must be thorough because “attackers can reinstall removed code through the backdoor if any component remains active.”
What this means for site owners and hosting providers
Site owners should scan for the listed indicators — especially unexpected external JavaScript and Steam profile references — and verify backups predating the compromise. Hosting providers and managed WordPress services should watch for outbound connections to Steam from customer sites and suspicious cache entries or POST requests bearing the tEcaKKXEsb cookie, as these are direct signs of the chain GoDaddy describes.
The campaign illustrates an operational choice: conceal binary payloads inside otherwise innocuous text on a high-profile platform to avoid running a bespoke C2 domain. What remains open is how initial access is being achieved at scale across nearly 1,980 sites — a detail GoDaddy notes but does not resolve in its report.




