Researchers at GoDaddy have uncovered a malware campaign that compromised roughly 1,980 WordPress sites and repurposed Valve's Steam gaming platform as an unconventional command-and-control (C2) channel, according to a report published by Security Affairs.
The attack works by hiding malicious instructions inside Steam Community profile comments. The infected WordPress sites are programmed to visit specific Steam user profiles, parse the comment sections for encoded commands, and execute them — effectively turning Valve's gaming infrastructure into an invisible relay for the botnet operators.
Blending in with legitimate traffic
What makes this campaign particularly difficult to detect is the nature of the C2 traffic. Because the compromised sites fetch their instructions by making requests to ordinary Steam Community pages, the network activity resembles normal web browsing rather than malware communication, making it significantly harder for network monitoring tools to flag suspicious connections.
The actual command data is embedded within Steam profile comments using invisible Unicode characters — likely zero-width or similar non-printing glyphs — which appear as blank space to the human eye but carry meaningful data for the malware's parsing logic. To a casual observer browsing a Steam profile, nothing appears amiss.
A growing pattern of platform abuse
The technique of abusing high-reputation, high-traffic legitimate platforms as C2 infrastructure is a trend that has accelerated in recent years. Security researchers have previously documented similar abuse of Telegram, Discord, and cloud storage services as covert channels. The strategy exploits a fundamental tension in network defence: blocking traffic to popular, widely trusted platforms disrupts legitimate users, while allowing it gives attackers cover.
Steam presents a particularly attractive target for this kind of abuse. The platform commands a massive global user base, its Community pages are publicly accessible without authentication, and profile comments can be posted freely — offering attackers a convenient, low-cost data exfiltration and command delivery mechanism that requires no dedicated infrastructure.
Scale and implications
The scale of the campaign — nearly 2,000 compromised WordPress sites — suggests a methodical, automated infection process. WordPress, which powers a significant portion of the web, remains a persistent target for threat actors due to its extensive plugin ecosystem, varying patch management practices, and the sheer volume of sites running outdated components. GoDaddy's position as one of the world's largest WordPress hosting providers gives the company unique visibility into threats affecting the platform at scale.
For the IT and security community, the discovery underscores the need to monitor not just traditional C2 indicators but also traffic patterns to legitimate platforms that deviate from expected usage. Standard endpoint protection and DNS-based filtering are unlikely to catch this class of attack, since the C2 endpoint is a genuine, trusted domain.
Disrupting a campaign of this nature would likely require cooperation from Valve itself, including takedown requests targeting the specific Steam profiles being used to host command data. As of the report's publication, no public response from Valve regarding this specific campaign has been noted.
The finding adds to a growing body of evidence that threat actors are investing significant creativity in hiding their infrastructure in plain sight — and that defenders need to look beyond suspicious domains and IPs to catch them.
根據《Security Affairs》發佈的一份報告,GoDaddy 的研究人員揭露了一場惡意軟件攻擊活動,該活動入侵了大約 1,980 個 WordPress 網站,並重新利用 Valve 旗下 Steam 遊戲平台作為非傳統的指揮與控制 (C2) 頻道。
此攻擊的運作方式是將惡意指令隱藏在 Steam 社區個人檔案的評論中。受感染的 WordPress 網站被設定為訪問特定的 Steam 用戶個人檔案,解析評論區內的編碼指令,並執行它們 —— 實質上將 Valve 的遊戲基礎設施變成了殭屍網絡操作者無形的中繼站。
融入正常流量
使這場攻擊活動尤其難以偵測的原因在於 C2 流量的性質。由於受感染的網站是透過向普通的 Steam 社區頁面發出請求來獲取指令,其網絡活動類似於正常的網頁瀏覽,而非惡意軟件通訊,這使得網絡監測工具更難標記可疑連線。
實際的指令數據使用隱形 Unicode 字元(可能是零寬度或類似的不可打印字符)嵌入在 Steam 個人檔案評論中。這些字符對肉眼看來是空白,但對惡意軟件的解析邏輯卻承載著有效數據。對於瀏覽 Steam 個人檔案的隨意觀察者而言,一切看似正常。
平台濫用的趨勢增長
利用高信譽、高流量的合法平台作為 C2 基礎設施的技術,是近年來加速發展的一種趨勢。安全研究人員此前已記錄過類似的濫用 Telegram、Discord 和雲端儲存服務作為隱蔽頻道的情況。此策略利用了網絡防禦中一個根本的矛盾:封鎖通往熱門且被廣泛信任平台的流量會干擾合法用戶,而允許其通過則為攻擊者提供了掩護。
Steam 對於此類濫用而言是一個特別有吸引力的目標。該平台擁有龐大的全球用戶基礎,其社區頁面無需身份驗證即可公開訪問,且個人檔案評論可以自由發佈 —— 這為攻擊者提供了一個便利、低成本的數據外傳和指令傳遞機制,無需專用基礎設施。
規模與影響
這場攻擊活動的規模 —— 近 2,000 個受感染的 WordPress 網站 —— 表明其採用了系統化、自動化的感染流程。WordPress 驅動著相當一部分網站,由於其龐大的插件生態系統、參差不齊的補丁管理實踐以及運行過時元件的網站數量巨大,它仍然是威脅行為者持續瞄準的目標。GoDaddy 作為全球最大的 WordPress 託管供應商之一,其地位使其擁有獨特的視角,可以觀察到大規模影響此平台的威脅。
對於 IT 和安全社群而言,這項發現強調了不僅需要監控傳統的 C2 指標,還需要監控對合法平台但偏離預期使用模式的流量。標準的端點防護和基於 DNS 的過濾不太可能捕捉到此類攻擊,因為 C2 端點是真實、受信任的域名。
瓦解此類攻擊活動可能需要 Valve 公司本身的配合,包括針對被用於承載指令數據的特定 Steam 個人檔案發出下架請求。截至報告發佈時,尚未注意到 Valve 就此特定攻擊活動作出公開回應。
這一發現為日益增多的證據增添了新的佐證,表明威脅行為者正投入顯著的創意,將基礎設施隱藏在眾目睽睽之下 —— 而防禦者需要超越可疑域名和 IP 地址的範疇,才能捕捉到他們。