WordPress Malware Campaign Uses Steam Profiles

Nearly 2,000 WordPress websites are the target of a malware campaign that relies on using Steam Community profile comments to hide its Command-and-Control (C2) data. This technique allows attackers to obscure their activities and evade detection by security software. The malware exploits a specific vulnerability in WordPress that enables attackers to inject malicious code into the websites. The affected sites show no obvious signs of infection, making detection by administrators more difficult. Security researchers have found that the malware is spread through compromised plugins and themes.

A key feature of this malware campaign is the use of Steam profile comments as a hiding place for the C2 data. Attackers leave comments on public Steam profiles, which are then retrieved by the infected WordPress sites. This method allows the attackers to disguise their infrastructure and maintain communication with the infected websites. The security firm that discovered the campaign warns of the potential risks to WordPress users. The malware could be used to steal personal data or take control of the infected websites.

The researchers recommend regularly updating all plugins and themes and conducting security audits. In addition to the technical aspects of the malware campaign, the researchers have also analyzed the distribution patterns. Most affected websites are located in the USA and Europe, with a significant number of sites identified in Germany. The attackers appear to be specifically targeting websites that use outdated software. The security community has emphasized the need to improve security practices to prevent such attacks.

This includes implementing Web Application Firewalls (WAF) and conducting regular security audits. The use of strong passwords and two-factor authentication is also recommended to reduce the risk of compromise. The malware campaign has already led to increased attention to the security of WordPress websites. Many website operators have begun reviewing and strengthening their security measures. The researchers stress that a proactive approach to security is crucial to prevent future attacks.

The exact origin of the malware is currently unclear. Security researchers are investigating the attackers' infrastructure to establish possible connections to other known threats. Analyzing the techniques used could help identify the attackers and stop their activities. The campaign has already resulted in a variety of reports of security incidents. According to a recent survey, over 30% of WordPress users reported having security issues in the past six months.

This underscores the urgency of taking security measures and regularly updating software. The security firm plans to release more information about the malware campaign in the coming weeks. The researchers hope that their findings will help educate the WordPress community about the risks and improve website security. The malware campaign was first discovered on May 15, 2026, and security researchers continue to analyze the impact and spread of the threat.