← feed

godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor

Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control

IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.

confirmed IIM v1.1 unknown
Raw JSON
entities13
relations17
techniques4
published2026-05-30 11:26:11

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

compromised WordPress plugin/theme PHP file containing Steam resolver malware

IIM-T004
2
redirector

url

hxxps://steamcommunity[.]com/profiles/76561199096946028/

IIM-T006IIM-T013IIM-T018
3
redirector

url

hxxps://steamcommunity[.]com/id/ravypadliha

IIM-T006IIM-T013IIM-T018
4
redirector

url

hxxps://steamcommunity[.]com/id/enomisvool123/

IIM-T006IIM-T013IIM-T018
5
redirector

url

hxxps://steamcommunity[.]com/id/eremohin342

IIM-T006IIM-T013IIM-T018
6
staging

file

commentthread_comment_text invisible-Unicode encoded payload blob

IIM-T013
7
staging

file

optional AES-256-CTR / PBKDF2 / HMAC decoder layer

8
payload

url

hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js

9
payload

file

wp_enqueue_script frontend JavaScript injection via asahi-jquery-min-bundle

10
payload

file

mpzZYIbGOb template_redirect cookie-authenticated PHP backdoor handler

11
c2

url

<compromised WordPress site> POST / with cookie DEpjndDbNc

IIM-T004
12
c2

url

<compromised WordPress site> POST / with cookie tEcaKKXEsb and parameter new_code

IIM-T004
13
staging

file

recursive plugin/theme code replacement using marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72

Relations

directed infrastructure edges
e001connecte002 confirmed
e001connecte003 confirmed
e001connecte004 confirmed
e001connecte005 confirmed
e002referencese006 confirmed
e003referencese006 confirmed
e004referencese006 confirmed
e005referencese006 confirmed
e006executee007 confirmed
e007referencese008 confirmed
e001executee009 confirmed
e009downloade008 confirmed
e001executee010 confirmed
e010communicates-withe011 confirmed
e010communicates-withe012 confirmed
e012dropse013 confirmed
e013dropse001 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file compromised WordPress plugin/theme PHP file containing Steam resolver malware
GoDaddy states the malware was discovered in /wp-content/themes/gt3-child/functions.php but can appear in any PHP file.
GoDaddy states the malware performs two primary functions: client-side JavaScript injection and a server-side cookie-authenticated backdoor.
GoDaddy states the likely infection methods include stolen WordPress admin credentials, compromised FTP/SFTP credentials, vulnerable plugin/theme, or supply-chain compromise, but no specific vector is confirmed.
e002 url hxxps://steamcommunity[.]com/profiles/76561199096946028/
GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.
GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.
GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform.
e003 url hxxps://steamcommunity[.]com/id/ravypadliha
GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.
GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.
GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform.
e004 url hxxps://steamcommunity[.]com/id/enomisvool123/
GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.
GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.
GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform.
e005 url hxxps://steamcommunity[.]com/id/eremohin342
GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.
GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.
GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform.
e006 file commentthread_comment_text invisible-Unicode encoded payload blob
GoDaddy states the malware extracts content from the commentthread_comment_text div of Steam profile comments.
GoDaddy states the decoder scans for invisible Unicode characters, maps them to numeric values, reconstructs bytes, applies bitwise NOT, and optionally attempts gzip decompression.
GoDaddy lists six invisible Unicode characters used by the encoding: U+200C, U+200D, U+2061, U+2062, U+2063 and U+2064.
e007 file optional AES-256-CTR / PBKDF2 / HMAC decoder layer
GoDaddy states the malware includes optional encrypted payload support.
GoDaddy states the implementation uses PBKDF2 with SHA-512 and 10,000 iterations, AES-256-CTR, HMAC-SHA256 authentication, and constant-time hash comparison.
e008 url hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js
GoDaddy states the decoded payload is used to construct a URL and inject it into WordPress pages.
GoDaddy publishes the decoded URL observed during analysis as hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js.
GoDaddy states the handle name asahi-jquery-min-bundle and the filename lodash.core.min.js mimic legitimate JavaScript libraries.
e009 file wp_enqueue_script frontend JavaScript injection via asahi-jquery-min-bundle
GoDaddy states the decoded URL is injected into WordPress pages using wp_enqueue_script with handle asahi-jquery-min-bundle.
GoDaddy states the script is loaded on every WordPress frontend page via the wp_enqueue_scripts hook.
e010 file mpzZYIbGOb template_redirect cookie-authenticated PHP backdoor handler
GoDaddy states the malware implements a server-side backdoor that hooks template_redirect and responds to POST requests containing specific authentication cookies.
GoDaddy identifies the backdoor handler function as mpzZYIbGOb.
GoDaddy states the backdoor supports a ping/version function and a remote code modification function.
e011 url <compromised WordPress site> POST / with cookie DEpjndDbNc
GoDaddy states that when cookie DEpjndDbNc is present, the backdoor responds with OK and a version identifier.
GoDaddy states this provides a method to verify the backdoor is operational and retrieve a version identifier.
No specific compromised victim domain is published, so this endpoint is represented as a placeholder compromised WordPress site endpoint.
e012 url <compromised WordPress site> POST / with cookie tEcaKKXEsb and parameter new_code
GoDaddy states that when cookie tEcaKKXEsb is present, the backdoor accepts base64-encoded PHP code via POST parameter new_code.
GoDaddy states the code update function searches plugin and theme directories for marker string G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 and replaces it with attacker-supplied code.
GoDaddy states this allows attackers to replace existing malware code, modify the injected script URL, and maintain persistence after partial cleanup attempts.
e013 file recursive plugin/theme code replacement using marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72
GoDaddy states the file modification function searches recursively through plugin and theme directories.
GoDaddy states the marker string decodes to G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72, the function name used for script injection.
GoDaddy states this mechanism allows attackers to update malware code without re-compromising the site.

ATT&CK annotations

optional complementary mapping
T1505.003Server Software Component: Web Shell

The server-side PHP backdoor accepts authenticated POST requests and can modify plugin/theme files.

T1102Web Service

Steam Community is abused as a trusted web platform to host encoded command/control data.

T1027Obfuscated Files or Information

Invisible Unicode steganography, string encoding, randomized identifiers, and optional encryption are used.

T1071.001Application Layer Protocol: Web Protocols

The malware uses HTTP(S), cURL, WordPress page loads, and cookie-authenticated POST control.

T1059.006Command and Scripting Interpreter: Python/PHP

Malicious PHP in WordPress plugin/theme context implements the fetch/decode/injection and backdoor logic.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor",
  "title": "Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control",
  "description": "IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.",
  "actor_id": "unknown",
  "observed_at": "2026-05-28T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_source": {
    "title": "Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations",
    "publisher": "GoDaddy Security / GoDaddy Resources News",
    "author": "Krasimir Konov",
    "url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
    "published_at": "2026-05-28",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "original vendor research report",
    "source_policy": "Original GoDaddy Security source only. Secondary summaries were not used for chain content."
  },
  "x_source_urls": [
    "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
  ],
  "x_source_title": "Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control",
  "x_source_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
  "x_resource_links_verified": [
    {
      "url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-30T00:00:00Z",
      "notes": "Verified article title, publisher, publication date, author, key findings, observed Steam profiles, invisible-Unicode decoding, optional AES/PBKDF2/HMAC layer, observed hello-mywordl.info JavaScript URL, cookie-authenticated backdoor behavior, infection-vector limitations, and detection guidance."
    }
  ],
  "x_iocs": {
    "steam_profile_urls": [
      "hxxps://steamcommunity[.]com/profiles/76561199096946028/",
      "hxxps://steamcommunity[.]com/id/ravypadliha",
      "hxxps://steamcommunity[.]com/id/enomisvool123/",
      "hxxps://steamcommunity[.]com/id/eremohin342"
    ],
    "decoded_javascript_url": "hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js",
    "domains": [
      "steamcommunity.com",
      "hello-mywordl.info"
    ],
    "wordpress_hooks": [
      "wp_enqueue_scripts",
      "template_redirect"
    ],
    "wordpress_script_handle": "asahi-jquery-min-bundle",
    "cookies": [
      "DEpjndDbNc",
      "tEcaKKXEsb"
    ],
    "post_parameters": [
      "new_code"
    ],
    "transient_prefix": "_transient_caption_",
    "marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
    "example_infected_path": "/wp-content/themes/gt3-child/functions.php",
    "invisible_unicode_chars": [
      "U+200C",
      "U+200D",
      "U+2061",
      "U+2062",
      "U+2063",
      "U+2064"
    ]
  },
  "x_limitations": [
    "GoDaddy explicitly states that the malware does not appear to exploit a specific WordPress, plugin, or theme version and lists several likely infection methods. The exact initial compromise vector is therefore not modeled as confirmed.",
    "The chain does not invent a vulnerable plugin, admin account, FTP/SFTP credential, landing URL, exploit request, threat actor name, Steam account owner, IP address, or domain-to-IP mapping not published by GoDaddy.",
    "Steam Community profile URLs are modeled as trusted-platform dead-drop/resolver infrastructure, not as attacker-owned infrastructure.",
    "The cookie-authenticated backdoor endpoint is modeled as compromised-site C2/control functionality. Because GoDaddy does not publish a specific victim domain, placeholder endpoint values are used and clearly marked.",
    "The observed external JavaScript URL is published by GoDaddy in defanged form. It is preserved defanged in this chain for public-feed safety."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "file",
      "value": "compromised WordPress plugin/theme PHP file containing Steam resolver malware",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware was discovered in /wp-content/themes/gt3-child/functions.php but can appear in any PHP file.",
        "GoDaddy states the malware performs two primary functions: client-side JavaScript injection and a server-side cookie-authenticated backdoor.",
        "GoDaddy states the likely infection methods include stolen WordPress admin credentials, compromised FTP/SFTP credentials, vulnerable plugin/theme, or supply-chain compromise, but no specific vector is confirmed."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_example_path": "/wp-content/themes/gt3-child/functions.php",
      "x_marker_function": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_initial_access_confirmed": false,
      "x_chain_stage": "infected_wordpress_php_layer"
    },
    {
      "id": "e002",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/profiles/76561199096946028/",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e003",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/ravypadliha",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e004",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/enomisvool123/",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "hxxps://steamcommunity[.]com/id/eremohin342",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware has been observed fetching Steam Community profiles and lists this profile as an observed profile.",
        "GoDaddy states the malware uses cURL to fetch Steam Community profile pages and extracts the commentthread_comment_text div content.",
        "GoDaddy characterizes this behavior as hiding command and control data behind Valve/Steam as a legitimate trusted platform."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_trusted_platform": "Steam Community",
      "x_platform_owner": "Valve",
      "x_exact_profile_published": true,
      "x_chain_stage": "trusted_platform_dead_drop_resolver"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "commentthread_comment_text invisible-Unicode encoded payload blob",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware extracts content from the commentthread_comment_text div of Steam profile comments.",
        "GoDaddy states the decoder scans for invisible Unicode characters, maps them to numeric values, reconstructs bytes, applies bitwise NOT, and optionally attempts gzip decompression.",
        "GoDaddy lists six invisible Unicode characters used by the encoding: U+200C, U+200D, U+2061, U+2062, U+2063 and U+2064."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_encoding": "invisible Unicode steganography",
      "x_invisible_unicode_chars": [
        "U+200C",
        "U+200D",
        "U+2061",
        "U+2062",
        "U+2063",
        "U+2064"
      ],
      "x_chain_stage": "encoded_resolver_payload"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "optional AES-256-CTR / PBKDF2 / HMAC decoder layer",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware includes optional encrypted payload support.",
        "GoDaddy states the implementation uses PBKDF2 with SHA-512 and 10,000 iterations, AES-256-CTR, HMAC-SHA256 authentication, and constant-time hash comparison."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_crypto": {
        "kdf": "PBKDF2-SHA512",
        "iterations": 10000,
        "cipher": "AES-256-CTR",
        "auth": "HMAC-SHA256"
      },
      "x_chain_stage": "optional_crypto_decoder"
    },
    {
      "id": "e008",
      "type": "url",
      "value": "hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the decoded payload is used to construct a URL and inject it into WordPress pages.",
        "GoDaddy publishes the decoded URL observed during analysis as hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js.",
        "GoDaddy states the handle name asahi-jquery-min-bundle and the filename lodash.core.min.js mimic legitimate JavaScript libraries."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_domain": "hello-mywordl.info",
      "x_script_handle": "asahi-jquery-min-bundle",
      "x_defanged": true,
      "x_chain_stage": "external_javascript_payload"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "wp_enqueue_script frontend JavaScript injection via asahi-jquery-min-bundle",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the decoded URL is injected into WordPress pages using wp_enqueue_script with handle asahi-jquery-min-bundle.",
        "GoDaddy states the script is loaded on every WordPress frontend page via the wp_enqueue_scripts hook."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_wordpress_hook": "wp_enqueue_scripts",
      "x_script_handle": "asahi-jquery-min-bundle",
      "x_chain_stage": "client_side_injection_logic"
    },
    {
      "id": "e010",
      "type": "file",
      "value": "mpzZYIbGOb template_redirect cookie-authenticated PHP backdoor handler",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the malware implements a server-side backdoor that hooks template_redirect and responds to POST requests containing specific authentication cookies.",
        "GoDaddy identifies the backdoor handler function as mpzZYIbGOb.",
        "GoDaddy states the backdoor supports a ping/version function and a remote code modification function."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_wordpress_hook": "template_redirect",
      "x_function": "mpzZYIbGOb",
      "x_chain_stage": "server_side_backdoor_payload"
    },
    {
      "id": "e011",
      "type": "url",
      "value": "<compromised WordPress site> POST / with cookie DEpjndDbNc",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states that when cookie DEpjndDbNc is present, the backdoor responds with OK and a version identifier.",
        "GoDaddy states this provides a method to verify the backdoor is operational and retrieve a version identifier.",
        "No specific compromised victim domain is published, so this endpoint is represented as a placeholder compromised WordPress site endpoint."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_cookie": "DEpjndDbNc",
      "x_function": "ping / keepalive",
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_c2_ping_endpoint"
    },
    {
      "id": "e012",
      "type": "url",
      "value": "<compromised WordPress site> POST / with cookie tEcaKKXEsb and parameter new_code",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states that when cookie tEcaKKXEsb is present, the backdoor accepts base64-encoded PHP code via POST parameter new_code.",
        "GoDaddy states the code update function searches plugin and theme directories for marker string G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 and replaces it with attacker-supplied code.",
        "GoDaddy states this allows attackers to replace existing malware code, modify the injected script URL, and maintain persistence after partial cleanup attempts."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_cookie": "tEcaKKXEsb",
      "x_post_parameter": "new_code",
      "x_marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_c2_code_update_endpoint"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "recursive plugin/theme code replacement using marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "observed_at": "2026-05-28T00:00:00Z",
      "source": "GoDaddy Security: Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations (2026-05-28)",
      "evidence": [
        "GoDaddy states the file modification function searches recursively through plugin and theme directories.",
        "GoDaddy states the marker string decodes to G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72, the function name used for script injection.",
        "GoDaddy states this mechanism allows attackers to update malware code without re-compromising the site."
      ],
      "x_reference_url": "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles",
      "x_marker_string": "G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72",
      "x_targets": [
        "WP_CONTENT_DIR/plugins",
        "WP_CONTENT_DIR/themes"
      ],
      "x_chain_stage": "backdoor_update_staging"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "likely",
      "technique_confidence": "likely",
      "review_notes": "Confirmed infected PHP layer; exact initial compromise vector is not confirmed by GoDaddy."
    },
    {
      "entity_id": "e002",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e003",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e004",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e005",
      "role": "redirector",
      "techniques": [
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Trusted Steam profile comment layer used as dead-drop/resolver for encoded C2 data."
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [
        "IIM-T013"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Encoded payload extracted from Steam profile comments."
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Decoder/crypto layer documented by GoDaddy; modeled as local staging/processing evidence, not external infrastructure."
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Observed external JavaScript URL decoded from Steam comment data and injected into visitor-facing WordPress pages."
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "WordPress frontend injection logic that causes visitors to load the decoded JavaScript URL."
    },
    {
      "entity_id": "e010",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Server-side PHP backdoor handler implemented in the infected WordPress PHP code."
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Control endpoint exists on compromised WordPress sites; no specific victim domain was published."
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Remote code update endpoint exists on compromised WordPress sites; no specific victim domain was published."
    },
    {
      "entity_id": "e013",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Local plugin/theme code replacement mechanism used by the cookie-authenticated backdoor."
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "connect",
      "sequence_order": 1,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/profiles/76561199096946028/ as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e003",
      "type": "connect",
      "sequence_order": 2,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/ravypadliha as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e004",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/enomisvool123/ as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e005",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware uses cURL during WordPress page loads to fetch Steam profile pages and lists hxxps://steamcommunity[.]com/id/eremohin342 as observed.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e002",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "references",
      "sequence_order": 7,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "references",
      "sequence_order": 8,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware extracts the commentthread_comment_text div content from Steam profiles and treats the hidden payload data in those comments as the encoded command/control data.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "execute",
      "sequence_order": 9,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the decoded bytes may be decrypted using the optional crypto routine with PBKDF2, AES-256-CTR and HMAC-SHA256.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "references",
      "sequence_order": 10,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the decoded payload is used to construct a URL and publishes hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js as the observed decoded URL.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the infected WordPress PHP adds the wp_enqueue_scripts hook and injects the decoded URL through wp_enqueue_script using handle asahi-jquery-min-bundle.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e009",
      "to": "e008",
      "type": "download",
      "sequence_order": 12,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the external JavaScript is loaded on every WordPress frontend page via the wp_enqueue_scripts hook.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e001",
      "to": "e010",
      "type": "execute",
      "sequence_order": 13,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the malware also hooks template_redirect and implements a server-side backdoor function named mpzZYIbGOb.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "communicates-with",
      "sequence_order": 14,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states cookie DEpjndDbNc triggers a ping/version response that verifies the backdoor is operational.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e010",
      "to": "e012",
      "type": "communicates-with",
      "sequence_order": 15,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states cookie tEcaKKXEsb plus POST parameter new_code allows base64-encoded PHP code modification.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 16,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "GoDaddy states the remote code update function searches plugin/theme files for marker G7jp2L84mnVc4LNW9wcbZcaVFAyC9N72 and replaces the line with attacker-supplied PHP code.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    },
    {
      "from": "e013",
      "to": "e001",
      "type": "drops",
      "sequence_order": 17,
      "observed_at": "2026-05-28T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "GoDaddy states the remote rewrite capability can replace existing malware code and modify the injected script URL without re-compromising the site. This relation closes the update loop back into the infected PHP layer.",
        "https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles"
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1505.003",
      "name": "Server Software Component: Web Shell",
      "tactic": "Persistence",
      "comment": "The server-side PHP backdoor accepts authenticated POST requests and can modify plugin/theme files."
    },
    {
      "technique_id": "T1102",
      "name": "Web Service",
      "tactic": "Command and Control",
      "comment": "Steam Community is abused as a trusted web platform to host encoded command/control data."
    },
    {
      "technique_id": "T1027",
      "name": "Obfuscated Files or Information",
      "tactic": "Defense Evasion",
      "comment": "Invisible Unicode steganography, string encoding, randomized identifiers, and optional encryption are used."
    },
    {
      "technique_id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control",
      "comment": "The malware uses HTTP(S), cURL, WordPress page loads, and cookie-authenticated POST control."
    },
    {
      "technique_id": "T1059.006",
      "name": "Command and Scripting Interpreter: Python/PHP",
      "tactic": "Execution",
      "comment": "Malicious PHP in WordPress plugin/theme context implements the fetch/decode/injection and backdoor logic."
    }
  ]
}