{
  "iim_version": "1.1",
  "chain_id": "godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor",
  "title": "Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control",
  "description": "IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.",
  "actor_id": "unknown",
  "observed_at": "2026-05-28T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_source": {
    "title": "Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations",
    "publisher": "GoDaddy Security / GoDaddy Resources News",
    "author": "Krasimir Konov",
    "url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
    "published_at": "2026-05-28",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "original vendor research report",
    "source_policy": "Original GoDaddy Security source only. Secondary summaries were not used for chain content."
  },
  "x_source_urls": [
    "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
  ],
  "x_source_title": "Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control",
  "x_source_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
  "x_resource_links_verified": [
    {
      "url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-30T00:00:00Z",
      "notes": "Verified article title, publisher, publication date, author, key findings, observed Steam profiles, invisible-Unicode decoding, optional AES/PBKDF2/HMAC layer, observed hello-mywordl.info JavaScript URL, cookie-authenticated backdoor behavior, infection-vector limitations, and detection guidance."
    }
  ],
  "x_iocs": {
    "steam_profile_urls": [
      "hxxps://steamcommunity[.]com/profiles/76561199096946028/",
      "hxxps://steamcommunity[.]com/id/ravypadliha",
      "hxxps://steamcommunity[.]com/id/enomisvool123/",
      "hxxps://steamcommunity[.]com/id/eremohin342"
    ],
    "decoded_javascript_url": "hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js",
    "domains": [
      "steamcommunity.com",
      "hello-mywordl.info"
    ],
    "wordpress_hooks": [
      "wp_enqueue_scripts",
      "template_redirect"
    ],
    "wordpress_script_handle": "asahi-jquery-min-bundle",
    "cookies": [
      "DEpjndDbNc",
      "tEcaKKXEsb"
    ],
    "post_parameters": [
      "new_code"
    ],
    "transient_prefix": "_transient_caption_",
    "marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
    "example_infected_path": "/wp-content/themes/gt3-child/functions.php",
    "invisible_unicode_chars": [
      "U+200C",
      "U+200D",
      "U+2061",
      "U+2062",
      "U+2063",
      "U+2064"
    ]
  },
  "x_limitations": [
    "GoDaddy explicitly states that the malware does not appear to exploit a specific WordPress, plugin, or theme version and lists several likely infection methods. The exact initial compromise vector is therefore not modeled as confirmed.",
    "The chain does not invent a vulnerable plugin, admin account, FTP/SFTP credential, landing URL, exploit request, threat actor name, Steam account owner, IP address, or domain-to-IP mapping not published by GoDaddy.",
    "Steam Community profile URLs are modeled as trusted-platform dead-drop/resolver infrastructure, not as attacker-owned infrastructure.",
    "The cookie-authenticated backdoor endpoint is modeled as compromised-site C2/control functionality. Because GoDaddy does not publish a specific victim domain, placeholder endpoint values are used and clearly marked.",
    "The observed external JavaScript URL is published by GoDaddy in defanged form. It is preserved defanged in this chain for public-feed safety."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "compromised WordPress plugin/theme PHP file containing Steam resolver malware",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware was discovered in /wp-content/themes/gt3-child/functions.php but can appear in any PHP file.",
        "GoDaddy states the malware performs two primary functions: client-side JavaScript injection and a server-side cookie-authenticated backdoor.",
        "GoDaddy states the likely infection methods include stolen WordPress admin credentials, compromised FTP/SFTP credentials, vulnerable plugin/theme, or supply-chain compromise, but no specific vector is confirmed."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_example_path": "/wp-content/themes/gt3-child/functions.php",
      "x_marker_function": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_initial_access_confirmed": false,
      "x_chain_stage": "infected_wordpress_php_layer"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/profiles/76561199096946028/",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e003",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/ravypadliha",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e004",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/enomisvool123/",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/eremohin342",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "commentthread_comment_text invisible-Unicode encoded payload blob",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware extracts content from the commentthread_comment_text div of Steam profile comments.",
        "GoDaddy states the decoder scans for invisible Unicode characters, maps them to numeric values, reconstructs bytes, applies bitwise NOT, and optionally attempts gzip decompression.",
        "GoDaddy lists six invisible Unicode characters used by the encoding: U+200C, U+200D, U+2061, U+2062, U+2063 and U+2064."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_encoding": "invisible Unicode steganography",
      "x_invisible_unicode_chars": [
        "U+200C",
        "U+200D",
        "U+2061",
        "U+2062",
        "U+2063",
        "U+2064"
      ],
      "x_chain_stage": "encoded_resolver_payload"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "optional AES-256-CTR / PBKDF2 / HMAC decoder layer",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware includes optional encrypted payload support.",
        "GoDaddy states the implementation uses PBKDF2 with SHA-512 and 10,000 iterations, AES-256-CTR, HMAC-SHA256 authentication, and constant-time hash comparison."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_crypto": {
        "kdf": "PBKDF2-SHA512",
        "iterations": 10000,
        "cipher": "AES-256-CTR",
        "auth": "HMAC-SHA256"
      },
      "x_chain_stage": "optional_crypto_decoder"
    },
    {
      "id": "e008",
      "type": "url",
      "value": "hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the decoded payload is used to construct a URL and inject it into WordPress pages.",
        "GoDaddy publishes the decoded URL observed during analysis as hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js.",
        "GoDaddy states the handle name asahi-jquery-min-bundle and the filename lodash.core.min.js mimic legitimate JavaScript libraries."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_domain": "hello-mywordl.info",
      "x_script_handle": "asahi-jquery-min-bundle",
      "x_defanged": true,
      "x_chain_stage": "external_javascript_payload"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "wp_enqueue_script frontend JavaScript injection via asahi-jquery-min-bundle",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the decoded URL is injected into WordPress pages using wp_enqueue_script with handle asahi-jquery-min-bundle.",
        "GoDaddy states the script is loaded on every WordPress frontend page via the wp_enqueue_scripts hook."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_wordpress_hook": "wp_enqueue_scripts",
      "x_script_handle": "asahi-jquery-min-bundle",
      "x_chain_stage": "client_side_injection_logic"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "mpzZYIbGOb template_redirect cookie-authenticated PHP backdoor handler",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware implements a server-side backdoor that hooks template_redirect and responds to POST requests containing specific authentication cookies.",
        "GoDaddy identifies the backdoor handler function as mpzZYIbGOb.",
        "GoDaddy states the backdoor supports a ping/version function and a remote code modification function."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_wordpress_hook": "template_redirect",
      "x_function": "mpzZYIbGOb",
      "x_chain_stage": "server_side_backdoor_payload"
    },
    {
      "id": "e011",
      "type": "url",
      "value": "<compromised WordPress site> POST / with cookie DEpjndDbNc",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states that when cookie DEpjndDbNc is present, the backdoor responds with OK and a version identifier.",
        "GoDaddy states this provides a method to verify the backdoor is operational and retrieve a version identifier.",
        "No specific compromised victim domain is published, so this endpoint is represented as a placeholder compromised WordPress site endpoint."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_cookie": "DEpjndDbNc",
      "x_function": "ping / keepalive",
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_c2_ping_endpoint"
    },
    {
      "id": "e012",
      "type": "url",
      "value": "<compromised WordPress site> POST / with cookie tEcaKKXEsb and parameter new_code",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states that when cookie tEcaKKXEsb is present, the backdoor accepts base64-encoded PHP code via POST parameter new_code.",
        "GoDaddy states the code update function searches plugin and theme directories for marker string G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 and replaces it with attacker-supplied code.",
        "GoDaddy states this allows attackers to replace existing malware code, modify the injected script URL, and maintain persistence after partial cleanup attempts."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_cookie": "tEcaKKXEsb",
      "x_post_parameter": "new_code",
      "x_marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_c2_code_update_endpoint"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "recursive plugin/theme code replacement using marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the file modification function searches recursively through plugin and theme directories.",
        "GoDaddy states the marker string decodes to G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72, the function name used for script injection.",
        "GoDaddy states this mechanism allows attackers to update malware code without re-compromising the site."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_targets": [
        "WP_CONTENT_DIR/plugins",
        "WP_CONTENT_DIR/themes"
      ],
      "x_chain_stage": "backdoor_update_staging"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "review_notes": "Confirmed infected PHP layer; exact initial compromise vector is not confirmed by GoDaddy."
    },
    {
      "entity_id": "e002",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e003",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e004",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e005",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [
        "IIM-T013"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Encoded payload extracted from Steam profile comments."
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Decoder/crypto layer documented by GoDaddy; modeled as local staging/processing evidence, not external infrastructure."
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Observed external JavaScript URL decoded from Steam comment data and injected into visitor-facing WordPress pages."
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "WordPress frontend injection logic that causes visitors to load the decoded JavaScript URL."
    },
    {
      "entity_id": "e010",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Server-side PHP backdoor handler implemented in the infected WordPress PHP code."
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Control endpoint exists on compromised WordPress sites; no specific victim domain was published."
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Remote code update endpoint exists on compromised WordPress sites; no specific victim domain was published."
    },
    {
      "entity_id": "e013",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Local plugin/theme code replacement mechanism used by the cookie-authenticated backdoor."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "connect",
      "sequence_order": 1,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/profiles/76561199096946028/ as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e003",
      "type": "connect",
      "sequence_order": 2,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/ravypadliha as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e004",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/enomisvool123/ as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e005",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/eremohin342 as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e002",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "references",
      "sequence_order": 8,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "execute",
      "sequence_order": 9,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the decoded bytes may be decrypted using the optional crypto routine with PBKDF2, AES-256-CTR and HMAC-SHA256.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "references",
      "sequence_order": 10,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the decoded payload is used to construct a URL and publishes hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js as the observed decoded URL.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the infected WordPress PHP adds the wp_enqueue_scripts hook and injects the decoded URL through wp_enqueue_script using handle asahi-jquery-min-bundle.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e009",
      "to": "e008",
      "type": "download",
      "sequence_order": 12,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the external JavaScript is loaded on every WordPress frontend page via the wp_enqueue_scripts hook.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e010",
      "type": "execute",
      "sequence_order": 13,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware also hooks template_redirect and implements a server-side backdoor function named mpzZYIbGOb.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "communicates-with",
      "sequence_order": 14,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states cookie DEpjndDbNc triggers a ping/version response that verifies the backdoor is operational.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e010",
      "to": "e012",
      "type": "communicates-with",
      "sequence_order": 15,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states cookie tEcaKKXEsb plus POST parameter new_code allows base64-encoded PHP code modification.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 16,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the remote code update function searches plugin/theme files for marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 and replaces the line with attacker-supplied PHP code.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e013",
      "to": "e001",
      "type": "drops",
      "sequence_order": 17,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "GoDaddy states the remote rewrite capability can replace existing malware code and modify the injected script URL without re-compromising the site. This relation closes the update loop back into the infected PHP layer.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1505.003",
      "name": "Server Software Component: Web Shell",
      "tactic": "Persistence",
      "comment": "The server-side PHP backdoor accepts authenticated POST requests and can modify plugin/theme files."
    },
    {
      "technique_id": "T1102",
      "name": "Web Service",
      "tactic": "Command and Control",
      "comment": "Steam Community is abused as a trusted web platform to host encoded command/control data."
    },
    {
      "technique_id": "T1027",
      "name": "Obfuscated Files or Information",
      "tactic": "Defense Evasion",
      "comment": "Invisible Unicode steganography, string encoding, randomized identifiers, and optional encryption are used."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "The malware uses HTTP(S), cURL, WordPress page loads, and cookie-authenticated POST control."
    },
    {
      "technique_id": "T1059.006",
      "name": "Command and Scripting Interpreter: Python/PHP",
      "tactic": "Execution",
      "comment": "Malicious PHP in WordPress plugin/theme context implements the fetch/decode/injection and backdoor logic."
    }
  ]
}