Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data.

The threat actor used invisible Unicode characters to encode a payload that builds a URL to a malicious script. By leveraging Valve’s platform, the attacker avoids maintaining a separate C2 infrastructure and evades traditional detection methods.

Since the campaign was first uncovered in July 2025, GoDaddy security engineers have found malware on approximately 1,980 WordPress websites.