WordPress Under Siege – Windows Trojan Infiltrates Through Stealthy PHP Backdoor Malware

A sophisticated new malware campaign targeting WordPress sites has security experts on high alert after a recent incident exposed a layered, hard-to-detect infection chain.

Unlike typical defacements or spam campaigns, this attack uses stealthy PHP droppers, obfuscated code, IP tracking, and batch script generation to deliver a Windows-based Remote Access Trojan (RAT) known as client32.exe.

The initial compromise vector remains unclear, but evidence suggests that cybercriminals injected custom PHP malware into two critical files, header.php and man.php, after gaining access likely through stolen credentials or vulnerable plugins.

The infection is designed to remain invisible to site owners and visitors, showing no redirects or evident tampering.

Multi-Stage Dropper Operation Unpacked

At the heart of the attack header.php lies the central controller. It silently profiles each site visitor, enforcing an IP blacklist by logging addresses in count.txt a simple but effective way to avoid repeated infections and evade analysis.

Only visitors making fresh POST requests from new IPs are served a hidden payload.

When triggered, header.php it dynamically generates a heavily obfuscated Windows batch script (update.bat). This script, forcibly downloaded to the victim’s machine, automates several attack steps:

1. Environment Setup: Creates directories in %APPDATA% for malware files.
2. Payload Download: Utilizes PowerShell to fetch a malicious ZIP archive silently (psps.zip) from a remote server.
3. Extraction and Execution: Extracts the ZIP using .NET system libraries, then launches client32.exeThe final Trojan payload.
4. Persistence Mechanism: Ensures the malware survives reboots by adding a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
5. Clean Up: Deletes the downloaded ZIP to minimize forensic traces.

The companion man.php The script provides attackers with a crude web interface to monitor and reset the IP log (count.txt), maintaining ongoing control.

RAT Establishes Stealthy Foothold

Once deployed, client32.exe it connects to a command-and-control server at 5.252.178.123:443, where it can receive further malicious commands.

Security analysts warn that such RATs can exfiltrate data, install additional malware, and maintain deep persistence.

Mitigation and Next Steps

Site owners are urged to:

• Employ continuous scanning and file integrity monitoring.
• Patch all CMS components and harden server configurations.
• Deploy a web application firewall (WAF).
• Prepare for rapid incident response.

End-users should be cautious of unfamiliar downloads, keep their security tools up to date, and regularly apply system patches.

This campaign highlights the growing use of sophisticated, fileless infection chains that leverage PowerShell and batch scripts, a trend that calls for vigilance from both administrators and everyday web users.

If you suspect your WordPress site has been targeted, immediate forensic investigation is strongly advised.