New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions

GoDaddy researchers discovered a WordPress malware campaign that hides encrypted C2 instructions inside invisible Unicode characters in Steam Community profile comments; infected sites (≈1,980) fetch and decode those instructions to load external JavaScript and maintain a cookie-authenticated backdoor that can modify PHP files for persistence and updates. The report includes technical indicators (e.g., steamcommunity.com references, invisible chars U+200C/U+200D/U+2061–U+2064, AES-CTR usage, hash_pbkdf2/openssl_decrypt, cookie names DEpjndDbNc/tEcaKKXEsb, transient_caption prefix, disabled cURL SSL) and detection/remediation recommendations.