Full Report
Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data. [...]
Analysis Summary
# Tool/Technique: Steam-Based C2 Steganography (WordPress Malware)
## Overview
This technique involves a multi-stage malware campaign targeting WordPress websites. It utilizes the Steam Community platform as a resilient command-and-control (C2) intermediary by hiding malicious payloads within profile comments using invisible Unicode characters. This allows the attacker to update C2 configurations without maintaining their own infrastructure, often bypassing traditional domain-based filtering.
## Technical Details
- **Type:** Malware / C2 Steganography Technique
- **Platform:** WordPress (PHP / JavaScript)
- **Capabilities:** Steganographic payload extraction, JavaScript injection, remote backdoor access.
- **First Seen:** July 2025 (Reported by GoDaddy)
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- **T1071.001 - Application Layer Protocol: Web Protocols** (Communicating with Steam via HTTP/S)
- **T1564.007 - Hide Artifacts: Steganography** (Using invisible Unicode characters in comments)
- **T1102.001 - Web Service: Dead Drop Resolver** (Using Steam profiles to host C2 data)
- **TA0003 - Persistence**
- **T1505.003 - Server Software Component: Web Shell** (Backdoor responding to POST requests)
## Functionality
### Core Capabilities
- **Dead Drop Resolving:** The malware connects to specific Steam Community profile pages to retrieve configuration data.
- **Unicode Decoding:** It parses the profile comments, ignoring visible text and mapping six specific invisible Unicode characters (U+200C, U+200D, U+2061, U+2062, U+2063, U+2064) into binary data to reconstruct a URL.
- **Payload Injection:** It injects malicious JavaScript hosted on external domains (e.g., `hello-mywordl[.]info`) into every frontend page of the WordPress site.
### Advanced Features
- **Sophisticated Evasion:** Uses octal and hex escapes to obfuscate strings, randomized function names, and disables SSL verification in cURL requests to ensure connectivity.
- **Backdoor Authentication:** Implements a PHP backdoor that only activates if a specific authentication cookie (`tEcaKKXEsb`) is present in a POST request.
- **Arbitrary Code Execution:** Once authenticated via the cookie, the backdoor accepts and executes Base64-encoded PHP code through the `new_code` parameter.
## Indicators of Compromise
- **File Names:**
- `asahi-jquery-min-bundle`
- `lodash.core.min.js` (Note: These are names used for malicious scripts mimicking legitimate libraries)
- **Network Indicators:**
- `hello-mywordl[.]info` (Defanged C2 domain)
- Frequent outbound requests from the web server to `steamcommunity.com/id/[profile_name]`
- **Behavioral Indicators:**
- WordPress `_transient_caption` cache entries containing encoded strings.
- Presence of the `tEcaKKXEsb` cookie in inbound POST requests.
- cURL requests with `CURLOPT_SSL_VERIFYPEER` set to false within WordPress core files or plugins.
## Associated Threat Actors
- **Unknown:** Currently tracked as a widespread WordPress infection campaign (approx. 2,000 sites).
## Detection Methods
- **Signature-based detection:** Scanning for the specific PHP backdoor logic that checks for the `tEcaKKXEsb` cookie.
- **Behavioral detection:** Monitoring for server-side outbound connections to Steam or unexpected domains like `hello-mywordl[.]info`.
- **YARA Rules / Scans:** Scanning for blocks of zero-width Unicode characters (U+200C through U+2064) within WordPress database entries or theme files.
## Mitigation Strategies
- **Prevention:** Update all WordPress themes and plugins; enforce strong passwords and Multi-Factor Authentication (MFA) for admin and FTP/SFTP accounts.
- **Hardening:** Implement a Web Application Firewall (WAF) to block unauthorized POST requests and monitor for suspicious JavaScript injections.
- **Recovery:** Priority should be placed on restoring the site from a clean backup. If manual cleaning is performed, ensure the PHP backdoor is removed entirely, as it can be used to re-infect the site.
## Related Tools/Techniques
- **Dead Drop Resolvers:** Similar to techniques using Twitter, GitHub, or Pastebin for C2 configuration.
- **Obfuscated JavaScript:** Common in MageCart-style attacks or credential harvesters.