Steam Community Profiles abused as C2 network in new WordPress malware infection campaign

Date:
Wed, 03 Jun 2026 12:18:13 +0000

Description:
A new cheeky malware campaign abuses the comment section as a roadsign to malware

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Malware hides payload in Steam Community comments WordPress sites used to host backdoors Nearly 2,000 sites compromised since July Security researchers from GoDaddy found a cheeky new malware campaign that used comments made by Steam Community accounts as command-and-control (C2) infrastructure.

Here is how the attack plays out: The attackers would first find vulnerable WordPress websites, or those protected by weak credentials, and use them to host PHP malware somewhere in the sites files. For example, the sample was found in a themes functions.php file. This malware contains both a JavaScript injection component, and a server-side backdoor. Then, whenever a visitor loads the infected website, the malware contacts one of several Steam Community profiles and downloads the contents of profile comments. On surface level, these comments look harmless (albeit incoherent), but they also
contain invisible Unicode characters which carry the actual payload. Latest Videos From Watch full video here: Industry support This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload, GoDaddy said.

The malware then extracts the characters, converts them into binary data, and reconstructs the original bytes. The researchers found that this recovered data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file spoofing a legitimate library. You may like Hackers hijack WordPress sites to spread malware using fake CAPTCHA WordPress
websites under attack expert report says dozens of plugins hijacked to
target thousands of sites Kash Patel's 'BasedApparel' website is apparently hosting ClickFix malware

The malware then uses WordPress to load the attacker-controlled JavaScript on every frontend page, which the visitors browsers then download and run, infecting themselves in the process.

In the campaign, there are two sets of targets - vulnerable WordPress websites, and their visitors. Since uncovering the campaign in July last
year, GoDaddy said it found almost 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.

If you run a WordPress website, GoDaddy recommends to check for references to Steam Community URLs, external JavaScript injections, as well as outbound connections from WordPress to Steam.

Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



======================================================================
Link to news story: https://www.techradar.com/pro/security/steam-community-profiles-abused-as-c2-n etwork-in-new-wordpress-malware-infection-campaign


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)