WordPress malware hides C2 data in Steam Community comments
Malware Activity
Summary
Hide ▲
Show ▼
A WordPress malware operation has been uncovered on approximately 1,980 websites, raising the risk of hidden command-and-control (C2) traffic and persistent page injection. The malware uses Steam Community profile comments and invisible Unicode characters to conceal payload data. It also pulls script content from hello-mywordl[.]info and can plant a backdoor on infected sites.
Related Happenings
SocGholish malware downloader hijacking WordPress sites
Malware Activity
H score57
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
SocGholish is a long-running JavaScript-based malware downloader also tracked as FakeUpdates that hijacks compromised WordPress sites to push fake browser update...
SocGholish malware downloader hijacking WordPress sites
Malware ActivityAbout this happening: SocGholish is a long-running JavaScript-based malware downloader also tracked as FakeUpdates that hijacks compromised WordPress sites to push fake browser update...
Steam Workshop malicious wallpaper malware distribution campaign
Campaign
H score39
First: 16.06.2026 21:27
Last: 16.06.2026 21:27
Sources 1
About this happening:
A Steam Workshop campaign has used malicious wallpaper uploads to deliver malware to Steam users, creating a broad infection risk across the platform since late 2025....
Steam Workshop malicious wallpaper malware distribution campaign
CampaignAbout this happening: A Steam Workshop campaign has used malicious wallpaper uploads to deliver malware to Steam users, creating a broad infection risk across the platform since late 2025....
Steam Workshop Wallpaper Engine malware delivery operation
Malware Activity
H score38
First: 16.06.2026 21:27
Last: 16.06.2026 21:27
Sources 1
About this happening:
Malicious Steam Workshop wallpaper packages are being used to install backdoors, steal Steam credentials, and launch cryptomining on users' systems, expanding a lo...
Steam Workshop Wallpaper Engine malware delivery operation
Malware ActivityAbout this happening: Malicious Steam Workshop wallpaper packages are being used to install backdoors, steal Steam credentials, and launch cryptomining on users' systems, expanding a lo...
WordPress malware campaign using Steam profile C2 concealment
Campaign
H score37
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
How related:
Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.
About this happening:
A WordPress malware campaign has infected about 1,980 websites since July 2025, and it hides command-and-control (C2) data in Steam Community profile comments...
WordPress malware campaign using Steam profile C2 concealment
CampaignHow related: Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.
About this happening: A WordPress malware campaign has infected about 1,980 websites since July 2025, and it hides command-and-control (C2) data in Steam Community profile comments...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware Activity
H score31
First: 11.11.2025 17:44
Last: 11.11.2025 17:44
Sources 1
About this happening:
The GootLoader loader has resurfaced with a new WOFF2 font-based filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed three...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware ActivityAbout this happening: The GootLoader loader has resurfaced with a new WOFF2 font-based filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed three...
Timeline
-
01.06.2026 20:04 2 articles · 1mo ago
Initial report: WordPress malware hides C2 data in Steam Community comments
Initial DisclosureThe operation was first uncovered in July 2025 after infected WordPress sites were linked to Steam Community profile comments carrying hidden payload data. Early analysis showed a staged infection that used page loads, payload decoding, and later JavaScript injection and backdoor delivery.
Show sources
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04