A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based obfuscation to evade traditional security detection mechanisms.
The attack represents an evolution in obfuscation techniques, where threat actors fragment malicious code across multiple HTTP cookies and dynamically reconstruct executable functions at runtime.
This approach makes static analysis significantly more challenging, as the malicious intent remains hidden until all cookie components are assembled and executed.
The malware has been detected over 30,000 times in September 2025 alone, demonstrating its widespread deployment and continued effectiveness against vulnerable websites.
The attack vector primarily targets PHP-based web applications, particularly WordPress installations, by injecting backdoor scripts that accept commands through specially crafted cookies.
Unlike traditional malware that embeds complete malicious payloads within files, this campaign distributes function names and encoded parameters across numbered cookie indices.
Once deployed, the malware waits for specific cookie configurations before activating, requiring attackers to send precisely structured requests containing all necessary components.
This conditional execution serves dual purposes: evading automated security scans that may trigger the script without proper cookies, and preventing unauthorized access by other malicious actors who discover the backdoor.
Wordfence researchers identified multiple variants of this malware family during routine incident response operations, adding samples to their threat intelligence database containing over 4.4 million unique malicious signatures.
The detection came through analysis of compromised sites where conventional signature-based scanning initially struggled to flag the heavily obfuscated code.
Analysis revealed that while individual variants differ in implementation details, they share core characteristics including dense obfuscation, excessive array lookups, and deliberate cookie validation checks that act as authentication mechanisms for attackers.
Technical Implementation and Code Execution Chain
The malware operates through a multi-stage execution chain that leverages PHP’s variable function capability, where appending parentheses to any variable causes PHP to execute a function matching the variable’s string value.
In examined samples, the script begins by storing the $_COOKIE superglobal into a local variable and validating that exactly 11 cookies are present, with one containing the specific string “array11”.
The malware then concatenates cookie values to reconstruct function names, such as combining cookies containing “base64_” and “decode” to form the complete base64_decode function name.
The execution chain demonstrates sophisticated layering:-
$locale[79] = $locale[79] . $locale[94];
$locale[23] = $locale[79]($locale[23]);This reconstructs base64_decode, then decodes another cookie containing “Y3JlYXRlX2Z1bmN0aW9u” to produce “create_function”. The malware subsequently uses create_function with attacker-controlled parameters to generate arbitrary executable code.
Later variants employ string replacement techniques, transforming obfuscated strings like “basx649fxcofx” into “base64_decode” by replacing characters ‘x’, ‘f’, and ‘9’ with ‘e’, ‘d’, and ‘_’ respectively.
This multi-layered approach defeats pattern-matching detection while maintaining full remote code execution capabilities through serialized payloads delivered via cookie parameters.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
