Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WordPress malware campaign using Steam profile C2 concealment

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A WordPress malware campaign has infected about 1,980 websites since July 2025, and it hides command-and-control (C2) data in Steam Community profile comments to reduce detection. The operation uses invisible Unicode characters to encode payloads, then directs sites to hello-mywordl[.]info to fetch injected JavaScript. It can also install a backdoor that accepts base64-encoded PHP code through POST when a specific authentication cookie is present.

Related Happenings

WordPress malware hides C2 data in Steam Community comments

Malware Activity
First: 01.06.2026 20:04 Last: 01.06.2026 20:04 Sources 1

How related: Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.

About this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...

Open Happening

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Major web skimming campaign targeting payment networks

Campaign
First: 13.01.2026 19:30 Last: 13.01.2026 19:30 Sources 1

About this happening: A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...

Open Happening

CLEARSHORT smart-contract stealer delivery chain

Malware Activity
First: 16.10.2025 17:52 Last: 16.10.2025 17:52 Sources 1

About this happening: The **CLEARSHORT** downloader is actively delivering **Atomic (AMOS), Lumma, Rhadamanthys, and Vidar** through hacked sites, putting **Windows** and **Apple macOS** users at risk....

Open Happening

Timeline

  1. 01.06.2026 20:04 2 articles · 2h ago

    Initial report: WordPress malware campaign using Steam profile C2 concealment

    Initial Disclosure

    The campaign first surfaced in **July 2025** when infected WordPress sites were found loading first-stage malware that pulled hidden data from **Steam Community profile comments**. Early infections showed the operator using **invisible Unicode characters** to disguise payloads before directing victims toward injected JavaScript and a backdoor.

    Show sources
    Open in new tab