Practically 2,000 WordPress web sites have been contaminated with malware that depends on Steam Group profile feedback to cover command-and-control (C2) information.
The menace actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve’s platform, the attacker avoids sustaining a separate C2 infrastructure and evades conventional detection strategies.
For the reason that marketing campaign was first uncovered in July 2025, GoDaddy safety engineers have discovered malware on roughly 1,980 WordPress web sites.
It’s unclear how the hackers breach the web sites, however researchers assess that the preliminary an infection vector ranges from stolen admin logins or compromised FTP/SFTP credentials to the exploitation of a weak WordPress theme or plugin, or a supply-chain compromise.
The primary-stage malware planted on a web site makes use of WordPress web page hundreds to achieve particular Steam profiles and extract textual content from benign-looking feedback.
Nevertheless, the textual content consists of hidden Unicode characters that conceal malicious payloads typically disguised as ASCII artwork.
Supply: GoDaddy
GoDaddy researchers be aware in a report that the menace actor makes use of six invisible Unicode characters for the encoded payload:
- Zero-width non-joiner (U+200C)
- Zero-width joiner (U+200D)
- Perform utility (U+2061)
- Invisible occasions (U+2062)
- Invisible separator (U+2063)
- Invisible plus (U+2064)
The decoder ignores any seen character and maps the invisible ones to a corresponding quantity; then it converts them to binary illustration and reconstructs bytes from the binary stream.
“This encoding permits binary information to be embedded inside normal-looking textual content. The seen characters function camouflage whereas the invisible characters carry the precise payload,” GoDaddy says.
In line with the researchers, the decoded payload is used to construct a hello-mywordl[.]information URL serving JavaScript code that’s injected into each frontend WordPress web page.
Primarily based on the file names (e.g., asahi-jquery-min-bundle and lodash.core.min.js), the retrieved malware is disguised as a reputable JavaScript library.
The ultimate stage of the assault is implementing a backdoor that responds to specifically crafted POST requests that embrace a selected authentication cookie. If the “tEcaKKXEsb cookie is current, the backdoor accepts base64-encoded PHP code by way of POST parameter,” the researchers clarify.
Supply: GoDaddy
GoDaddy describes a number of evasion mechanisms employed by the malware, together with obfuscated strings utilizing octal and hex escapes, randomized operate names, pretend disabled logging code, and the usage of normal WordPress APIs, permitting it to mix with regular exercise.
Web site house owners can defend by checking for references to Steam Group URLs, suspicious exterior JavaScript injections, outbound connections from WordPress servers to Steam, and sudden scripts loading from domains reminiscent of hello-mywordl[.]information.
Different indicators embrace invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware’s authentication cookies or the new_code parameter.
The researchers suggest that safety groups prioritize restoring from a identified good backup earlier than the an infection date. If this isn’t potential, the handbook cleansing course of needs to be thorough as a result of “attackers can reinstall eliminated code via the backdoor if any element stays energetic.”
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer via the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you truly have to validate.
