Malicious Actors Exploit WordPress Sites to Redirect Users to Harmful Destinations

Last month, cybersecurity experts uncovered a sophisticated malware campaign targeting WordPress websites that stealthily redirects visitors to malicious domains.

The threat actors embedded their malicious payload deep within core files, enabling search engine poisoning and unauthorized content injection without raising immediate alarms.

A detailed forensic analysis revealed a complex multi-stage infection that begins with a seemingly innocuous modification to the wp-settings.php file and escalates into dynamic command-and-control communications, SEO manipulation, and visitor-specific redirects.

Stealthy Malware Hides in Core Files

Investigators first noticed anomalous behavior when visitors to the compromised site were involuntarily redirected to unfamiliar domains.

A code review of wp-settings.php, a critical WordPress core component, revealed two suspicious lines.

The first line stripped the “www.” prefix from the HTTP_HOST header to normalize the domain name.

The second line invoked PHP’s zip:// stream wrapper to include a file from a compressed archive named win.zip, using the extracted domain name as the filename inside the ZIP.

By loading a domain-specific PHP script from within a ZIP archive, the attackers effectively concealed their malicious code in a location rarely scrutinized by routine file integrity checks.

Upon extracting win.zip, researchers found a single PHP file obfuscated with multiple layers of base conversions and XOR operations.

This hidden script formed the heart of the malware, executing as soon as WordPress finished its initial setup routines.

To avoid raising suspicion, the malicious code first disabled error reporting, ensured uninterrupted execution, and detected whether the visitor was a legitimate user or an automated crawler.

Dynamic Redirects and C2 Infrastructure

A notable feature of this malware is its dynamic selection of command-and-control (C2) servers based on the visitor’s requested path.

By parsing the URL, the script branched to different malicious domains: requests  products.php were sent to wditemqy. enturbioaj[.]xyz, those to detail.php to oqmetrix. icercanokt [.]xyz, and all other pages to yzsurfar. icercanokt[.]xyz.

This tailored approach complicates takedown efforts, as blocking one domain does not halt the entire campaign.

Furthermore, the malware employed anti-bot heuristics by inspecting user agents for search engine crawlers, such as Googlebot and Bingbot, serving benign content to bots while redirecting real users.

This prevented the injected spam links from being indexed, prolonging the operation’s stealth.

The script also manipulated critical SEO files. It intercepted requests for googleXXXXX.html verification files, allowing attackers to validate the site in Google Search Console.

Simultaneously, it fetched a malicious contents.php payload from the C2 server to rewrite robots.txt, appending directives that pointed search engines to an attacker-controlled sitemap.

Through these tactics, the threat actors harnessed the compromised site’s authority to boost rankings for phishing and spam pages hosted on their external domains.

Implications for Website Security

This attack highlights the increasing sophistication of web-based threats and underscores the need for robust security hygiene.

Administrators must prioritize regular audits of core files for unauthorized modifications, implement integrity monitoring, and employ web application firewalls capable of detecting suspicious PHP stream wrappers.

Enabling two-factor authentication and maintaining up-to-date backups remain essential defensive measures.

As evolving malware leverages stealth techniques to evade detection, vigilance and layered defenses are critical for safeguarding WordPress sites against hijacking and reputation-damaging redirects.