August 15, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
July 23, 2025
SonicWall SMA 100 Flaws Allow Arbitrary JavaScript Execution
July 24, 2025
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
July 23, 2025
SonicWall SMA 100 Flaws Allow Arbitrary JavaScript Execution
July 24, 2025
Severity
High
Analysis Summary
A newly uncovered and highly sophisticated WordPress malware campaign is exploiting the “mu-plugins” (must-use plugins) directory, a location rarely monitored by traditional security tools, to establish persistent and stealthy access to compromised websites. The malware, identified as wp-index.php, abuses WordPress’s must-use plugin feature to ensure its execution cannot be disabled via the admin panel. Using advanced ROT13 obfuscation, the malware conceals its communication with command-and-control (C2) infrastructure, effectively flying under the radar of common security mechanisms.
According to the Researcher, upon execution, the malware connects to a remote server (hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php) to fetch base64-encoded payloads, which are then stored in the WordPress database under the key _hdra_core. This database-centric persistence approach bypasses conventional security tools that focus on file integrity, as the malware no longer needs to leave obvious file traces. It even uses temporary PHP files that are immediately deleted after execution, minimizing any forensic footprint. This method allows the malware to survive standard site cleanups and maintain continuous access.
Adding another layer of stealth, the malware creates a hidden admin user named “officialwp”, while modifying the WordPress UI through carefully crafted filter functions to hide its presence. One of the payload components includes a covert file manager, named pricing-table-3.php, embedded in the active theme folder and protected via an HTTP header-based custom authentication token (fsociety_OwnzU_4Evr_1337H4x!). This allows attackers to remotely access and manipulate files on the infected server under the guise of a legitimate plugin component.
Researchers discovered this backdoor during routine malware analysis, emphasizing its multi-vector persistence and unusually robust evasion techniques. By leveraging WordPress internals in creative ways such as the abuse of must-use plugins, concealed admin users, and database-based payload storage the threat actors behind this campaign have demonstrated an advanced understanding of the platform. Their tactics ensure long-term control over affected sites while rendering standard mitigation efforts largely ineffective unless the infection is thoroughly and manually investigated.
Impact
- Code Execution
- Gain Access
- Security Bypass
Indicators of Compromise
URL
- https://1870y4rr4y3d1k757673q.xyz/cron.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Manually inspect the wp-content/mu-plugins directory and delete any unknown or suspicious files such as wp-index.php.
- Check for hidden or unauthorized admin users (e.g., officialwp) using the WordPress dashboard or direct database queries, and remove them.
- Examine the WordPress database, especially the wp_options table, for suspicious entries like _hdra_core, and delete any malicious payloads.
- Reinstall fresh copies of the WordPress core, themes, and plugins from official sources to eliminate backdoored files.
- Look in the active theme directory for hidden malware files such as pricing-table-3.php and remove them.
- Use multiple malware scanning tools like Wordfence, Sucuri, or MalCare, and follow up with manual reviews for hidden code or obfuscated scripts.
- Edit wp-config.php to disable file editing via the dashboard by adding define( 'DISALLOW_FILE_EDIT', true );.
- Install logging plugins (e.g., WP Activity Log) to track file changes and user activity in real time.
- Change all admin, database, FTP, and hosting panel passwords, and regenerate WordPress authentication keys in wp-config.php.
- Block access to known malicious domains (such as 1870y4rr4y3d1k757673q[.]xyz) via .htaccess or security plugins.
- Keep WordPress, all plugins, and themes updated to the latest versions to patch any known vulnerabilities.
- Remove unused or outdated plugins and themes that could serve as attack vectors.
- Set up file integrity monitoring to detect unauthorized file changes quickly.
- Maintain regular secure backups of your website and monitor for any suspicious activity continuously.