GoDaddy documents WordPress malware using Steam profile comments as a Unicode-steganography C2 resolver

GoDaddy Security detailed a WordPress malware campaign affecting roughly 2,000 sites that hides its command-and-control resolution inside benign-looking comments on Steam Community profile pages (GoDaddy Security, 2026-05-28 · BleepingComputer, 2026-06-01). The first-stage PHP backdoor on a compromised WordPress install fetches a specific Steam profile and decodes a URL hidden using six invisible Unicode characters (zero-width non-joiner/joiner U+200C/U+200D and the invisible-operator code points U+2061–U+2064), reconstructing a link to a malicious JavaScript file disguised as a legitimate library. A second-stage PHP backdoor then accepts base64-encoded PHP via cookie-authenticated HTTP POST, giving persistent arbitrary code execution. Initial access was traced to stolen FTP/SFTP credentials, vulnerable plugins/themes and supply-chain compromise.

Why it matters to us: Steam Community is allowlisted by most web proxies, so the C2 channel is effectively unblockable at the egress filter — defenders must detect at the host. Hunt for PHP files under wp-content/uploads containing @eval(base64_decode(...)), web-server processes issuing outbound requests to steamcommunity.com profile pages, and cookie-authenticated POSTs to .php endpoints. WordPress backs many Swiss municipal and cantonal sites; credential hygiene on FTP/SFTP and plugin patching are the front-line controls.