Cybersecurity researchers at Wordfence Threat Intelligence and their Care and Response teams have observed a persistent trend in new malware that leverages heavy obfuscation techniques to evade detection.
While some malware attempts to blend in as legitimate files, the more common strategy involves sophisticated obfuscation through variable functions and cookie manipulation.
This article explores this malware’s mechanisms, analyzes representative samples, and discusses how defenders can detect and mitigate such threats.
One signature method of this malware involves the use of variable functions in PHP. The PHP language permits the execution of a function named by a variable’s value.
Although this feature has legitimate programming uses, attackers exploit it to hide malicious behavior. For example, a simple backdoor might store function names like ‘eval’ and ‘base64_decode’ in variables and then call those functions dynamically with user-input payloads, effectively running arbitrary code on the server.
Cookies also play a novel role in these attacks. Typically used for storing user preferences or session information, cookies here are weaponized to carry encoded fragments of malicious scripts or function names.
The malware checks for specific cookies, validates them, and then reconstructs function names or code dynamically by concatenating cookie values, decoding them, and executing the resulting scripts. This multi-layered obfuscation confuses traditional scanners and hides the malware’s true intent.
In-Depth Analysis of Malware Samples
One analyzed malware strain requires exactly 11 cookies and uses them to assemble function names and executable code segments.
For instance, it concatenates cookie values containing “base64_” and “decode” into the function name “base64_decode.”
It then decodes further cookie data such as base64-encoded function names and code snippets, ultimately creating and executing a dynamic function that outputs a message or performs malicious actions.
This shows how attackers hide complex operations behind trivial-looking code that only activates under precise conditions verified through cookies.
Another sample uses a boolean condition that requires certain cookies to exist and meet mathematical conditions before executing.
It uses str_replace to transform obfuscated strings into real function names like “base64_decode,” then unserializes encoded payloads from cookies, creating an array of malicious functions and arguments to run arbitrary actions including the inclusion of attacker-controlled files. Such flexibility enables attackers to customize their payloads dynamically.
A third example combines a count check for 22 cookies and searches for a cookie containing “array22.” Through chained variable function calls and concatenations, it builds and executes an anonymous function. This ternary-based obfuscated control flow adds complexity to analysis and detection.
Strategies for Detecting These Malicious Scripts
In September 2025, malware signatures developed by Wordfence detecting these techniques logged over 30,000 detections.
Despite the obfuscation, the malware shares identifiable patterns valuable for detection. These typically include dense, short pieces of heavily obfuscated code, excessive use of array lookups, concatenation, reliance on superglobals like $_COOKIE for payload, and intricate variable function calls.
Human-written code or AI-generated programming generally avoids such dense obfuscation as it hinders debugging and readability.
Traditional signature-based detection may struggle due to malware variants morphing their scripts, but behavioral and heuristic detection focusing on these unusual coding patterns helps bridge the gap.
Wordfence premium malware signatures detect over 99% of known variants by targeting these traits. In addition, tools like Wordfence CLI allow deep scanning even when WordPress installations are damaged, offering a key security layer.
Wordfence’s Care and Response services provide dedicated expert help in identifying, cleaning, and remediating infections from these elusive malware types.
Experts continuously add new malware samples to their threat intelligence databases to update detection and protect users comprehensively.
Obfuscation using variable functions combined with cookie manipulation represents a tried-and-true yet highly effective malware evasion method.
Although these tactics have been observed previously, they continue to evolve and proliferate, necessitating ongoing vigilance from security teams.
By understanding the tactics discussed, recognizing characteristic patterns, and employing specialized detection signatures and cleanup services, web administrators can significantly reduce the risk posed by these hidden threats.
If you discover new malware or variants evading detection, collaborating with threat intelligence teams by sharing samples helps protect the broader community from emerging attacks. The fight against increasingly sophisticated malware depends on continual research, proactive defenses, and community collaboration.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
