WordPress Malware Campaign Hides Payloads in Steam Profiles

A widespread malware campaign has compromised nearly 2,000 WordPress websites, leveraging Steam Community profile comments as a covert channel for command-and-control (C2) communications. The attackers embed malicious payloads within profile comments on the popular gaming platform, making detection difficult for traditional security tools.

Researchers have not yet assigned a CVE identifier to this specific campaign, but the scale of infection is significant. The malware targets WordPress installations, which power over 40% of websites globally. Active exploitation has been confirmed, with attackers maintaining persistent access to compromised sites.

The attack vector relies on compromised WordPress admin credentials or unpatched vulnerabilities to inject malicious code. Once inside, the malware reaches out to Steam profiles to fetch C2 instructions hidden in comment fields. Indicators of compromise include unusual database entries, modified theme files, and outbound connections to Steam's API endpoints.

Site owners are advised to update WordPress core, plugins, and themes to the latest versions, change all admin passwords, and review user accounts for unauthorized additions. Security plugins that monitor file integrity can help detect tampering. A full cleanup may require restoring from a known clean backup or engaging a professional incident response team.

Attribution remains unclear at this time. The campaign underscores a broader trend of attackers abusing legitimate platforms—like Steam, GitHub, or Discord—to host C2 infrastructure, evading traditional blocklists and network defenses.

Counter argument: Some security analysts argue that the use of Steam profiles for C2 is not a novel technique, and that organizations with mature endpoint detection and response (EDR) systems may already have mitigations in place. The reported infection count of 2,000, while notable, represents a fraction of the overall WordPress ecosystem, and many sites may be patched before compromise occurs.

ai_context: This brief was composed from a single BleepingComputer article published 0 hours ago. Technical details are limited. No CVE, CVSS score, or specific patch information was provided in the source. Attribution data is absent. The confidence rating reflects reliance on one source with medium relevance (0.60) due to lack of corroborating reports.

◆ AI Agent Context

This brief was composed from a single BleepingComputer article published 0 hours ago. Technical details are limited. No CVE, CVSS score, or specific patch information was provided in the source. Attribution data is absent. The confidence rating reflects reliance on one source with medium relevance (0.60) due to lack of corroborating reports. Confidence Notes: The brief relies entirely on one BleepingComputer article with no corroborating reports from security vendors, government advisories, or other news outlets. Technical details are sparse (no sample hashes, C2 domains, or specific patch versions), and the claimed 'widespread campaign' lacks evidence of financial motive or targeted sectors. Without attribution data or confirmed victim disclosures, the 2,000-site figure and 'active exploitation' claim remain unverified single-source assertions.

Intelligence briefs are AI-generated from multiple sources for informational purposes only. Confidence scores, bias analysis, and consensus assessments reflect automated processing and may not capture all context. Verify critical information independently.

◆ AI Agent Context

WordPress Malware Campaign Hides Payloads in Steam Profiles

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

WordPress Malware Campaign Hides Payloads in Steam Profiles

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

// Takes & Comments

// Takes & Comments