WordPress malware hides C2 data in Steam Community comments
Malware Activity
Summary
Hide ▲
Show ▼
A WordPress malware operation has been uncovered on approximately 1,980 websites, raising the risk of hidden command-and-control (C2) traffic and persistent page injection. The malware uses Steam Community profile comments and invisible Unicode characters to conceal payload data. It also pulls script content from hello-mywordl[.]info and can plant a backdoor on infected sites.
Related Happenings
WordPress malware campaign using Steam profile C2 concealment
Campaign
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
How related:
Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.
About this happening:
A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
WordPress malware campaign using Steam profile C2 concealment
CampaignHow related: Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.
About this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware Activity
First: 11.11.2025 17:44
Last: 11.11.2025 17:44
Sources 1
About this happening:
The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware ActivityAbout this happening: The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
WordPress malicious JavaScript redirect campaign
Campaign
First: 08.10.2025 19:43
Last: 08.10.2025 19:43
Sources 1
About this happening:
The **WordPress** compromise campaign is turning site visits into a malware delivery path, redirecting users to **ClickFix-style pages** and fake **Cloudflare verification** scree...
WordPress malicious JavaScript redirect campaign
CampaignAbout this happening: The **WordPress** compromise campaign is turning site visits into a malware delivery path, redirecting users to **ClickFix-style pages** and fake **Cloudflare verification** scree...
Timeline
-
01.06.2026 20:04 2 articles · 2h ago
Initial report: WordPress malware hides C2 data in Steam Community comments
Initial DisclosureThe operation was first uncovered in **July 2025** after infected WordPress sites were linked to **Steam Community profile comments** carrying hidden payload data. Early analysis showed a staged infection that used page loads, payload decoding, and later JavaScript injection and backdoor delivery.
Show sources
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04
- WordPress malware campaign hides payloads in Steam profiles — www.bleepingcomputer.com — 01.06.2026 20:04