GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure

GoDaddy researchers uncovered a malware campaign affecting ~1,980 WordPress sites that hides C2 payloads inside Steam profile comments using invisible Unicode characters; decoded payloads point to a malicious JavaScript (masquerading as lodash.core.min.js) and a PHP backdoor that can receive and rewrite code in plugin/theme files, enabling persistence and self-restoration. The report details the encoding (zero-width Unicode set), optional AES-256-CTR encryption with PBKDF2 and HMAC-SHA256, observable indicators (suspicious Steam outbound connections, hello-mywordl.info references, invisible Unicode arrays, cookie names DEpjndDbNc and tEcaKKXEsb, and POST parameter new_code), and recommends restoration from known-clean backups or comprehensive manual cleanup.