Security researchers at GoDaddy have uncovered a clever malware campaign targeting WordPress websites: attackers infected nearly 2,000 sites with malicious code that hides its control instructions inside public Steam gaming profiles. Rather than setting up a suspicious-looking server that could be quickly blocked, the criminals write invisible commands into the comment sections of Steam profiles — completely ordinary-looking pages on Valve’s gaming platform. The malware on compromised WordPress sites periodically reads those Steam profiles and extracts its next instructions using hidden Unicode characters.
This approach lets the attackers blend in with normal gaming traffic and makes it harder for security tools to detect or block the command channel. Visitors to infected WordPress sites can unknowingly trigger the malware, which may redirect browsers, steal credentials, or install further malicious software. Researchers traced initial infections back to stolen admin passwords, weak FTP credentials, vulnerable plugins, or compromised themes.
How to check if you’re affected
Affected versions include any WordPress site that hasn’t been recently audited for unauthorized code or unusual plugin activity. If you manage a WordPress website, log into your WordPress admin panel and check Plugins → Installed Plugins for anything unfamiliar or recently modified. Also review Appearance → Theme Editor for unexpected code changes. Running a site scanner such as Wordfence or Sucuri can flag injected malicious scripts. If your hosting provider offers a file integrity monitor, enable it now.