Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Backdoor Found in WP Plugins

July 24, 2025
Reading Time: 3 mins read
in Alerts
Interlock Ransomware Threat Alert

A sophisticated WordPress malware campaign has been discovered operating through the rarely monitored mu-plugins directory, giving attackers persistent access to compromised websites while evading traditional security measures. The malicious code, identified as wp-index.php, exploits WordPress’s “must-use plugins” functionality to maintain continuous operation without the possibility of deactivation through the admin panel.

The newly identified WordPress malware campaign showcases advanced techniques to maintain persistence and evade detection. By leveraging the mu-plugins (must-use plugins) directory, which WordPress loads automatically and cannot be deactivated through the admin dashboard, the attackers ensure their malicious code remains active. The primary malicious file, wp-index.php, functions as a sophisticated backdoor. Its reliance on the mu-plugins directory highlights a critical blind spot for many traditional security scans that primarily focus on the standard plugins directory for malicious activity.

Further compounding its stealth, the malware employs advanced obfuscation techniques, including ROT13 encoding, to disguise its command-and-control (C2) communications.

Upon execution, the malware fetches remote payloads from a concealed URL and stores them directly within the WordPress database under the option key “_hdra_core”. This database-centric persistence strategy is particularly insidious because it bypasses filesystem-based security scans, which are designed to detect modifications to files rather than database entries. Sucuri analysts discovered this threat during routine investigations, noting its exceptional ability to maintain persistence across multiple infection vectors.

The sophistication extends to its post-compromise actions.

The malware creates a hidden administrative user named “officialwp” and simultaneously conceals its presence from the WordPress user interface using carefully crafted filter functions. This allows the attackers to maintain a high level of control over the compromised site while remaining undetected by site administrators. The primary loader script retrieves base64-encoded payloads from a remote server, which, once decoded, reveal a comprehensive malware framework. This framework includes a covert file manager disguised as “pricing-table-3.php” within the active theme directory, protected by a custom authentication token, further solidifying the attackers’ control and ability to manage files on the compromised server.

The database-centric persistence mechanism is perhaps the most concerning aspect of this malware. Unlike file-based infections that are often detected through integrity monitoring, this backdoor stores its payload within WordPress’s options table. The malware then executes this stored payload, immediately cleaning up any temporary files. This method ensures the malware survives standard cleanup procedures, making it incredibly difficult to remove without a deep understanding of its functionality.

This sophisticated approach provides attackers with robust remote code execution capabilities and complete administrative control over compromised WordPress installations. The use of the mu-plugins directory, advanced obfuscation, database-centric payload storage, and hidden administrative user creation demonstrate a highly evolved threat. This campaign underscores the need for comprehensive security solutions that go beyond traditional file-based scanning and include database integrity checks, behavior analysis, and constant vigilance against evolving threat landscapes in the WordPress ecosystem.

Reference:

  • Stealthy Backdoor in WordPress Plugins Lets Attackers Maintain Persistent Website Access
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

Phishing Targets Belgian Grand Prix Fans

Gaming Mouse Software Spreads Xred Malware

July 29, 2025
Phishing Targets Belgian Grand Prix Fans

Phishing Targets Belgian Grand Prix Fans

July 29, 2025
Phishing Targets Belgian Grand Prix Fans

macOS Flaw Bypasses TCC, Exposes Data

July 29, 2025
Scattered Spider Hits ESXi Servers

Scattered Spider Hits ESXi Servers

July 28, 2025
Scattered Spider Hits ESXi Servers

Malware Hides in Fake Dating Apps

July 28, 2025
Scattered Spider Hits ESXi Servers

Post SMTP Bug Exposes 200K Sites

July 28, 2025

Latest Alerts

Phishing Targets Belgian Grand Prix Fans

Gaming Mouse Software Spreads Xred Malware

macOS Flaw Bypasses TCC, Exposes Data

Post SMTP Bug Exposes 200K Sites

Malware Hides in Fake Dating Apps

Scattered Spider Hits ESXi Servers

Subscribe to our newsletter

    Latest Incidents

    Cathay Apologizes Over Asia Miles Breach

    Pro‑Ukraine Hackers Hit Aeroflot Servers

    GitHub Outage Disrupts Global Core Services

    Cyberattack Hits French Naval Group

    Tea App Leak Exposes 13K Women Users

    Allianz Life Data Breach Hits Majority

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial