WordPress Malware Campaign Hides Payloads in Steam Profiles

The convergence of web‑content management systems and gaming platforms has created a novel attack surface. By embedding invisible Unicode characters in seemingly benign Steam Community comments, threat actors can hide binary payloads in plain sight. This method leverages the high reputation of Valve’s infrastructure, allowing the malware to bypass many network‑based filters that would flag traffic to known malicious hosts. For WordPress operators, the campaign underscores how supply‑chain weaknesses—stolen credentials, vulnerable plugins, or compromised themes—can serve as the initial foothold for sophisticated exfiltration techniques.

Technically, the malware decodes six zero‑width Unicode symbols into binary, reconstructs a URL, and pulls JavaScript that mimics popular libraries such as lodash.core.min.js. The final stage installs a backdoor that only responds when the attacker‑specific tEcaKKXEsb cookie is present, executing base64‑encoded PHP code sent via POST. This layered evasion—obfuscated strings, random function names, and reliance on standard WordPress APIs—makes detection difficult for conventional scanners that focus on visible code signatures. Security teams must therefore expand their tooling to inspect outbound connections to non‑traditional C2 hosts like Steam and to flag hidden Unicode sequences in external content.

Mitigation now requires a multi‑pronged approach. Administrators should audit WordPress installations for references to Steam URLs, unexpected external scripts, and anomalous cache entries. Network monitoring must include egress traffic to Steam domains, while host‑based tools should be configured to reveal zero‑width characters in fetched comments. Prompt restoration from clean backups remains the safest remediation path, but when that isn’t feasible, a thorough manual clean‑up is essential to eliminate the persistent backdoor. The broader lesson is clear: as attackers co‑opt reputable third‑party platforms, defenders must broaden their threat‑intel horizons beyond traditional malware repositories.