WordPress malware campaign using Steam profile C2 concealment
Campaign
Summary
Hide ▲
Show ▼
A WordPress malware campaign has infected about 1,980 websites since July 2025, and it hides command-and-control (C2) data in Steam Community profile comments to reduce detection. The operation uses invisible Unicode characters to encode payloads, then directs sites to hello-mywordl[.]info to fetch injected JavaScript. It can also install a backdoor that accepts base64-encoded PHP code through POST when a specific authentication cookie is present.
Related Happenings
WordPress malware hides C2 data in Steam Community comments
Malware Activity
H score16
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
How related:
Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.
About this happening:
A WordPress malware operation has been uncovered on approximately 1,980 websites, raising the risk of hidden command-and-control (C2) traffic and persistent page injec...
WordPress malware hides C2 data in Steam Community comments
Malware ActivityHow related: Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.
About this happening: A WordPress malware operation has been uncovered on approximately 1,980 websites, raising the risk of hidden command-and-control (C2) traffic and persistent page injec...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
H score38
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
ClickFix campaigns continued to blend fake verification pages with command-pasting lures, including a 2025-11-06 wave that used embedded video tutorials, automatic O...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: ClickFix campaigns continued to blend fake verification pages with command-pasting lures, including a 2025-11-06 wave that used embedded video tutorials, automatic O...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The LummaStealer infostealer operation now includes a widespread ClickFix campaign observed in February 2026 that abuses Windows Terminal (wt.exe) instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The LummaStealer infostealer operation now includes a widespread ClickFix campaign observed in February 2026 that abuses Windows Terminal (wt.exe) instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Major web skimming campaign targeting payment networks
Campaign
H score36
First: 13.01.2026 19:30
Last: 13.01.2026 19:30
Sources 1
About this happening:
A long-running Magecart web-skimming campaign has been active since 2022 and targets checkout flows tied to American Express, Diners Club, Discover, JCB, Mastercard, and...
Major web skimming campaign targeting payment networks
CampaignAbout this happening: A long-running Magecart web-skimming campaign has been active since 2022 and targets checkout flows tied to American Express, Diners Club, Discover, JCB, Mastercard, and...
CLEARSHORT smart-contract stealer delivery chain
Malware Activity
H score25
First: 16.10.2025 17:52
Last: 16.10.2025 17:52
Sources 1
About this happening:
The CLEARSHORT downloader is actively delivering Atomic (AMOS), Lumma, Rhadamanthys, and Vidar through hacked sites, putting Windows and Apple macOS users at risk....
CLEARSHORT smart-contract stealer delivery chain
Malware ActivityAbout this happening: The CLEARSHORT downloader is actively delivering Atomic (AMOS), Lumma, Rhadamanthys, and Vidar through hacked sites, putting Windows and Apple macOS users at risk....
Timeline
-
01.06.2026 20:04 2 articles · 1mo ago
Initial report: WordPress malware campaign using Steam profile C2 concealment
Initial DisclosureThe campaign first surfaced in July 2025 when infected WordPress sites were found loading first-stage malware that pulled hidden data from Steam Community profile comments. Early infections showed the operator using invisible Unicode characters to disguise payloads before directing victims toward injected JavaScript and a backdoor.
Show sources
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04