GoKawiilNearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.
The threat actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve's platform, the attacker avoids maintaining a separate C2 infrastructure and evades traditional detection methods.
Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.
It is unclear how the hackers breach the websites, but researchers assess that the initial infection vector ranges from stolen admin logins or compromised FTP/SFTP credentials to the exploitation of a vulnerable WordPress theme or plugin, or a supply-chain compromise.
The first-stage malware planted on a website uses WordPress page loads to reach specific Steam profiles and extract text from benign-looking comments.
However, the text includes hidden Unicode characters that conceal malicious payloads sometimes disguised as ASCII art.
Malicious Steam comment
Source: GoDaddy
GoDaddy researchers note in a report that the threat actor uses six invisible Unicode characters for the encoded payload:
Zero-width non-joiner (U+200C)
... continue reading