Persistent WordPress malware campaign hides as fake plugin to evade detection

Analysts uncover sophisticated WordPress malware that creates hidden admin accounts and resists removal with redundant backdoor mechanisms.
WordPress sites hit by malware using obfuscation, IP whitelisting, and external command servers to stay active for months.

A new malware campaign targets WordPress sites, utilising steganography and persistent backdoors to maintain unauthorised admin access. It uses two components that work together to maintain control.

The attack begins with malicious files disguised as legitimate WordPress components. These files are heavily obfuscated, create administrator accounts with hardcoded credentials, and bypass traditional detection tools. However, this ensures attackers can retain access even after security teams respond.

Researchers say the malware exploits WordPress plugin infrastructure and user management functions to set up redundant access points. It then communicates with command-and-control servers, exfiltrating system data and administrator credentials to attacker-controlled endpoints.

This campaign can allow threat actors to inject malicious code, redirect site visitors, steal sensitive data, or deploy additional payloads. Its persistence and stealth tactics make it difficult to detect, leaving websites vulnerable for long periods.

The main component poses as a fake plugin called ‘DebugMaster Pro’ with realistic metadata. Its obfuscated code creates admin accounts, contacts external servers, and hides by allowing known admin IPs.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!