A sophisticated malware campaign has been discovered targeting WordPress websites, leveraging a stealthy PHP backdoor to deliver a Windows-based Remote Access Trojan (RAT) to unsuspecting visitors.
Security researchers recently analyzed this threat, which employs a multi-stage infection chain designed to evade detection and maximize persistence on both web servers and end-user systems.
Obfuscated PHP Droppers
The initial compromise vector remains unclear, but evidence suggests attackers exploit previously compromised WordPress sites, injecting malicious PHP code into legitimate files or deploying new, covert scripts.
Central to the operation are two PHP files header.php and man.phpwhich orchestrate the infection process.
The header.php script acts as the primary dropper, profiling victims, enforcing an IP-based blacklist, and dynamically generating an obfuscated Windows batch file (update.bat).
According to Sucuri Report, this script is then forced onto the client via manipulated HTTP headers, ensuring stealthy delivery.
To prevent repeated infections and hinder analysis, the malware logs each unique visitor’s IP address in a count.txt file.
If a repeat IP is detected, the dropper aborts, effectively implementing a rudimentary blacklist and reducing the risk of exposure.
Automated Batch Script
Upon execution, the generated batch script initiates a series of automated actions on the victim’s Windows machine.
First, it creates necessary directories in the user’s %APPDATA% path, then downloads a malicious ZIP archive (psps.zip) from an external server using PowerShell commands.
The archive is extracted to a designated directory, after which the embedded executable payload (client32.exe) is launched.
To ensure persistence, the script modifies the Windows Registry, adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
This guarantees that the RAT is automatically executed upon each user login, allowing attackers ongoing access to the compromised system.
The batch script also attempts to erase forensic traces by deleting the initial ZIP file post-execution, though it deliberately leaves the extracted malware intact for continued operation.
The Windows Trojan, identified as a Remote Access Trojan (RAT), establishes a covert connection to a command and control (C2) server at IP address 5.252.178.123 over port 443.
While the internal workings of client32.exe were not fully analyzed, its behavior aligns with typical RAT functionality, including silent execution, registry persistence, and stealthy payload delivery from known malicious domains.
The man.php file serves as a basic administrative interface for attackers, allowing them to monitor and manipulate the count.txt log, reset the IP blacklist, and maintain operational control over the infection campaign.
This incident underscores the increasing sophistication of web-based malware delivery mechanisms.
The use of obfuscated PHP droppers, IP-based evasion, and automated batch scripting demonstrates a concerted effort by threat actors to bypass conventional security controls and remain undetected for extended periods.
Website owners are urged to implement continuous malware scanning, maintain strict file integrity monitoring, and deploy web application firewalls to detect and block malicious activity.
Regular patching of CMS platforms, plugins, and themes is essential to close known vulnerabilities.
End-users should exercise caution with unsolicited downloads, ensure their security software is up to date, and avoid disabling critical system protections such as User Account Control (UAC).
As attackers continue to refine their techniques, both website administrators and end-users must remain vigilant and proactive in defending against evolving threats that exploit trusted platforms like WordPress.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
