A classy malware marketing campaign focusing on WordPress websites has emerged, using PHP variable features and cookie-based obfuscation to evade conventional safety detection mechanisms.
The assault represents an evolution in obfuscation strategies, the place menace actors fragment malicious code throughout a number of HTTP cookies and dynamically reconstruct executable features at runtime.
This strategy makes static evaluation considerably tougher, because the malicious intent stays hidden till all cookie parts are assembled and executed.
The malware has been detected over 30,000 instances in September 2025 alone, demonstrating its widespread deployment and continued effectiveness towards susceptible web sites.
The assault vector primarily targets PHP-based net functions, significantly WordPress installations, by injecting backdoor scripts that settle for instructions via specifically crafted cookies.
Not like conventional malware that embeds full malicious payloads inside information, this marketing campaign distributes operate names and encoded parameters throughout numbered cookie indices.
As soon as deployed, the malware waits for particular cookie configurations earlier than activating, requiring attackers to ship exactly structured requests containing all vital parts.
This conditional execution serves twin functions: evading automated safety scans that will set off the script with out correct cookies, and stopping unauthorized entry by different malicious actors who uncover the backdoor.
Wordfence researchers recognized a number of variants of this malware household throughout routine incident response operations, including samples to their menace intelligence database containing over 4.4 million distinctive malicious signatures.
The detection got here via evaluation of compromised websites the place standard signature-based scanning initially struggled to flag the closely obfuscated code.
Evaluation revealed that whereas particular person variants differ in implementation particulars, they share core traits together with dense obfuscation, extreme array lookups, and deliberate cookie validation checks that act as authentication mechanisms for attackers.
Technical Implementation and Code Execution Chain
The malware operates via a multi-stage execution chain that leverages PHP’s variable operate functionality, the place appending parentheses to any variable causes PHP to execute a operate matching the variable’s string worth.
In examined samples, the script begins by storing the $_COOKIE superglobal into a neighborhood variable and validating that precisely 11 cookies are current, with one containing the precise string “array11”.
The malware then concatenates cookie values to reconstruct operate names, equivalent to combining cookies containing “base64_” and “decode” to type the whole base64_decode operate title.
The execution chain demonstrates refined layering:-
$locale[79] = $locale[79] . $locale[94];
$locale[23] = $locale[79]($locale[23]);
This reconstructs base64_decode, then decodes one other cookie containing “Y3JlYXRlX2Z1bmN0aW9u” to supply “create_function”. The malware subsequently makes use of create_function with attacker-controlled parameters to generate arbitrary executable code.
Later variants make use of string substitute strategies, reworking obfuscated strings like “basx649fxcofx” into “base64_decode” by changing characters ‘x’, ‘f’, and ‘9’ with ‘e’, ‘d’, and ‘_’ respectively.
This multi-layered strategy defeats pattern-matching detection whereas sustaining full distant code execution capabilities via serialized payloads delivered through cookie parameters.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
