WordPress malware – GoDaddy security engineers say almost 1,980 WordPress websites were infected by malware that hides command-and-control data inside Steam Community profile comments using invisible Unicode characters. The payload reconstructs a malicious JavaScript injection se
A WordPress page that looks normal can still be quietly feeding a hacker’s script. In this campaign, the hiding place isn’t a secret server or a classic “beacon” URL—it’s Valve’s Steam platform.
GoDaddy security engineers say nearly 2. 000 WordPress websites were infected by malware that relies on Steam Community profile comment text to conceal command-and-control (C2) data. The problem was first uncovered in July 2025, and since then GoDaddy has found malware on approximately 1,980 WordPress websites.
The operator’s method is built to slip past typical scrutiny. Instead of storing readable instructions, the threat actor used invisible Unicode characters to encode a payload. Those characters are embedded in otherwise ordinary-looking text—sometimes even disguised as ASCII art—so a casual glance never sees the dangerous part.
GoDaddy’s report says the malware uses six specific invisible Unicode characters to carry the encoded payload: Zero-width non-joiner (U+200C). Zero-width joiner (U+200D). Function application (U+2061). Invisible times (U+2062). Invisible separator (U+2063). and Invisible plus (U+2064). The decoder ignores any visible character. maps each invisible character to a number. converts that to binary. and reconstructs bytes from the resulting binary stream.
That decoded payload is then used to build a URL—hello-mywordl[.]info—that serves JavaScript code. The JavaScript is injected into every frontend WordPress page. and GoDaddy says the retrieved malware is disguised using filenames such as asahi-jquery-min-bundle and lodash.core.min.js. leaning on familiar library naming to blend in.
The infection doesn’t stop at front-end tampering. GoDaddy says the final stage installs a backdoor that responds to specially crafted POST requests containing a specific authentication cookie. If the “tEcaKKXEsb cookie” is present. the backdoor accepts base64-encoded PHP code via a POST parameter called new_code. effectively letting the attacker extend or restore components after cleanup attempts.
Where the attackers first got into WordPress systems remains unclear. GoDaddy researchers assess that the initial infection vector could involve stolen admin logins or compromised FTP/SFTP credentials. or it could come through exploitation of a vulnerable WordPress theme or plugin. or even a supply-chain compromise.
Even the early steps are tied to Steam. GoDaddy says the first-stage malware uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments. That text contains the hidden Unicode characters, which then conceal the payload used to build the hello-mywordl[.]info URL.
Once inside, the malware leans on evasion techniques designed to look like ordinary WordPress activity and frustrate investigators. GoDaddy describes obfuscated strings using octal and hex escapes, randomized function names, fake disabled logging code, and use of standard WordPress APIs.
For site owners, this is where the story turns from “suspicious behavior” into a practical emergency. GoDaddy says defenses should focus on visible signs that connect the dots: check for references to Steam Community URLs. suspicious external JavaScript injections. and outbound connections from WordPress servers to Steam. Look for unexpected scripts loading from hello-mywordl[.]info.
There are also more subtle indicators. GoDaddy lists invisible Unicode characters, suspicious _transient_caption_ cache entries, disabled SSL verification in cURL requests, and POST requests containing the malware’s authentication cookies or the new_code parameter.
The cleanup guidance is blunt because the attack is built to return. GoDaddy recommends restoring from a known good backup before the infection date. If that isn’t possible. the manual cleaning process needs to be thorough—attackers can reinstall removed code through the backdoor if any component remains active.
WordPress malware Steam Community invisible Unicode command-and-control hello-mywordl[.]info JavaScript injection backdoor cybersecurity GoDaddy security engineers tEcaKKXEsb cookie new_code parameter