Safety researchers have found a regarding pattern through which a extremely expert malware marketing campaign has been focusing on WordPress web sites by utilizing the steadily disregarded mu-plugins listing to insert a covert backdoor.
This listing, quick for “must-use plugins,” homes mechanically activated plugins that can not be deactivated by the usual WordPress admin interface, making it a really perfect hiding spot for persistent threats.
The malware, disguised as a innocuous file named wp-index.php inside /wp-content/mu-plugins/, capabilities as a loader that discreetly retrieves a distant payload from a ROT13-obfuscated URL, decodes it, and executes arbitrary PHP code.
This tactic echoes an identical an infection wave reported in March 2025, underscoring the evolving methods attackers make use of to keep up long-term entry to compromised web sites.
Persistent Risk in MU-Plugins
By leveraging WordPress’s core capabilities for payload fetching and execution, the malware ensures it operates silently, evading routine filesystem scans and mixing seamlessly with legit web site operations.
In line with Sucuri Report, the ROT13 obfuscation approach, a easy Caesar cipher shifting letters by 13 positions within the alphabet, serves no actual cryptographic objective however successfully conceals malicious URLs throughout preliminary an infection levels.
As an example, the encoded string ‘uggcf://1870l4ee4l3q1x757673d.klm/peba.cuc’ decodes to hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php, from which the base64-encoded payload is downloaded.
This payload is then saved within the WordPress database beneath the choice key _hdra_core, offering a non-filesystem persistence mechanism that complicates detection by safety instruments.
The script validates the base64 integrity earlier than briefly writing the decoded content material to a file like .sess-[hash].php within the uploads listing, together with it for execution, and promptly deleting it to reduce forensic traces.
Moreover, the malware creates a hidden administrator account named ‘officialwp’ and injects a file supervisor into the theme listing as pricing-table-3.php, accessible by way of a customized HTTP header token for operations reminiscent of file searching, importing, and deletion.
Multifaceted Malware Capabilities
Delving deeper into the payload hosted on the decoded cron.php endpoint, analysts discovered a complete backdoor framework that extends past mere persistence.
The malware downloads and force-activates a secondary plugin, wp-bot-protect.php, from one other ROT13-obfuscated URL decoding to hxxps://1870y4rr4y3d1k757673q[.]xyz/shp, which might reinstate the an infection if major parts are eliminated.
A very insidious function entails programmatically resetting passwords for widespread admin usernames together with ‘admin’, ‘root’, ‘wpsupport’, and even its personal ‘officialwp’ to an attacker-controlled default, successfully locking out legit customers and making certain re-entry.
This dynamic command execution functionality permits distant PHP code injection, enabling attackers to adapt the malware’s habits on-the-fly, reminiscent of embedding extra backdoors or suppressing safety plugins.
The broader influence of this an infection is profound, granting attackers unrestricted administrator privileges to control web site content material, exfiltrate delicate consumer information, or repurpose the positioning for phishing, ransomware distribution, or distributed denial-of-service (DDoS) assaults towards third events.
Its multi-layered evasion methods, together with database storage, momentary file dealing with, and self-reinforcement by way of plugins, render it exceptionally resilient to plain remediation efforts.
Web site homeowners are urged to scan for indicators just like the wp-index.php file, the _hdra_core database entry, and anomalous admin customers, whereas implementing strict file integrity monitoring and common database audits to mitigate such threats.
This incident highlights the important want for enhanced vigilance in lesser-known WordPress directories, as attackers proceed to use architectural nuances for sustained, covert operations.
Get Free Final SOC Necessities Guidelines Earlier than you construct, purchase, or swap your SOC for 2025 - Obtain Now
