Traces of the attack remained in sight for months, but no one noticed them.
The attackers have found an unusual way to hide the malware management infrastructure using a popular gaming platform. Instead of their own servers to communicate with infected sites, the attackers placed encrypted commands in the comments of the Steam profiles, turning the usual community pages into part of a hidden management network.
Experts of GoDaddy Security found A malicious campaign aimed at WordPress WordPresssites. According to the company, the infection affected about 1980 resources. Activity was first recorded in July 2025.
The malicious code performs two main tasks. The first is related to the introduction of third-party JavaScript files to the pages of sites. The second is a full-fledged backdoor, which allows you to remotely change the files of themes of design and plugins, while maintaining control over the system even after partial cleaning.
To receive commands, infected sites refer to Steam Community profiles and retrieve the contents of comments. At first glance, such messages look harmless, but inside there are data encoded with the help of invisible Unicode characters. The user does not see any suspicious elements, but the malware is able to decrypt hidden information and turn it into commands.
Additional protection to attackers is provided by cryptography. The authors of the campaign applied the AES-256-CTR algorithm, the mechanism for the development of PBKDF2 keys and check the integrity through HMAC. This combination makes it difficult to analyze the contents and allows you to hide the real addresses of control nodes.
After decoding, the malware forms the URL and connects external JavaScript under the guise of conventional libraries. During the analysis, experts recorded the download of the file from the domain hello-mywordl.info. Fake script names simulated the common components of web development, which helped to avoid suspicion.
Particularly dangerous is the built-in mechanism of remote code execution. When receiving a special request with certain cookies, the backdoor can accept a PHP code encoded in Base64 and then replace existing snippets in WordPress themes and plugins. This approach allows you to quickly update malicious modules without re-breaking the site.
Additional camouflage methods are used to hide the activity. The code contains randomly generated function names, the lines are written in a coded form, and part of the logic is fictitious elements that create the appearance of the debugging mechanisms. In addition, malware actively uses the regular functions of WordPress, so that its actions resemble the work of conventional extensions.
The authors of the report believe that the infection occurred through stolen user data of administrators, compromised FTP and SFTP-access, vulnerable plugins or infected third-party components. To detect a threat, it is recommended to check the presence of Steam Community accesses from WordPress servers, look for traces of invisible Unicode characters in code and analyze suspicious connections to external domains.
The attackers have found an unusual way to hide the malware management infrastructure using a popular gaming platform. Instead of their own servers to communicate with infected sites, the attackers placed encrypted commands in the comments of the Steam profiles, turning the usual community pages into part of a hidden management network.
Experts of GoDaddy Security found A malicious campaign aimed at WordPress WordPresssites. According to the company, the infection affected about 1980 resources. Activity was first recorded in July 2025.
The malicious code performs two main tasks. The first is related to the introduction of third-party JavaScript files to the pages of sites. The second is a full-fledged backdoor, which allows you to remotely change the files of themes of design and plugins, while maintaining control over the system even after partial cleaning.
To receive commands, infected sites refer to Steam Community profiles and retrieve the contents of comments. At first glance, such messages look harmless, but inside there are data encoded with the help of invisible Unicode characters. The user does not see any suspicious elements, but the malware is able to decrypt hidden information and turn it into commands.
Additional protection to attackers is provided by cryptography. The authors of the campaign applied the AES-256-CTR algorithm, the mechanism for the development of PBKDF2 keys and check the integrity through HMAC. This combination makes it difficult to analyze the contents and allows you to hide the real addresses of control nodes.
After decoding, the malware forms the URL and connects external JavaScript under the guise of conventional libraries. During the analysis, experts recorded the download of the file from the domain hello-mywordl.info. Fake script names simulated the common components of web development, which helped to avoid suspicion.
Particularly dangerous is the built-in mechanism of remote code execution. When receiving a special request with certain cookies, the backdoor can accept a PHP code encoded in Base64 and then replace existing snippets in WordPress themes and plugins. This approach allows you to quickly update malicious modules without re-breaking the site.
Additional camouflage methods are used to hide the activity. The code contains randomly generated function names, the lines are written in a coded form, and part of the logic is fictitious elements that create the appearance of the debugging mechanisms. In addition, malware actively uses the regular functions of WordPress, so that its actions resemble the work of conventional extensions.
The authors of the report believe that the infection occurred through stolen user data of administrators, compromised FTP and SFTP-access, vulnerable plugins or infected third-party components. To detect a threat, it is recommended to check the presence of Steam Community accesses from WordPress servers, look for traces of invisible Unicode characters in code and analyze suspicious connections to external domains.
