This threat involves a sophisticated PHP malware campaign targeting WordPress websites by embedding malicious code directly into the core WordPress file wp-settings.php. The malware leverages a ZIP archive to conceal its malicious payload, which is dynamically included and executed, complicating detection and removal efforts. Its primary malicious activities include search engine poisoning—manipulating SEO-related files to alter search engine rankings—and unauthorized content injection, such as spam content and redirects to malicious or fraudulent sites. The malware employs advanced evasion techniques, including dynamic Command and Control (C2) server selection to maintain resilience and anti-bot mechanisms to avoid detection by automated scanners or security researchers. The obfuscation of code and use of ZIP archives for code inclusion further enhance its stealth capabilities. The malware’s objectives are to hijack web traffic, degrade the reputation and integrity of infected WordPress sites, and potentially funnel visitors to malicious destinations. Indicators of compromise include domains such as oqmetrix.icercanokt.xyz, wditemqy.enturbioaj.xyz, and yzsurfar.icercanokt.xyz, which serve as C2 or redirect points. Although no specific WordPress versions are identified as vulnerable, the infection vector is through core file compromise, implying that any WordPress site with insufficient security hygiene could be at risk. The campaign does not currently have known exploits in the wild but represents a medium-severity threat due to its stealth, persistence, and impact on website integrity and user trust. The malware’s tactics align with MITRE ATT&CK techniques such as command execution (T1059.007), code obfuscation (T1027), and SEO poisoning (T1491).

For European organizations, especially those relying on WordPress for their web presence, this malware poses significant risks. The unauthorized injection of spam and redirects can damage brand reputation, reduce customer trust, and negatively impact search engine rankings, leading to decreased web traffic and potential revenue loss. Organizations in sectors such as e-commerce, media, and professional services that depend heavily on organic search traffic are particularly vulnerable. Additionally, the malware’s ability to evade detection and persist within core files increases the risk of prolonged compromise, which can lead to secondary attacks or data leakage if attackers expand their foothold. The presence of dynamic C2 infrastructure and anti-bot measures complicates incident response and remediation efforts. Furthermore, compromised websites can be used as platforms for distributing further malware or phishing campaigns targeting European users, amplifying the threat landscape. Given the GDPR and other data protection regulations in Europe, organizations may also face compliance risks if customer data is indirectly exposed or if the malware facilitates unauthorized data processing.

To mitigate this threat effectively, European organizations should implement a multi-layered security approach tailored to WordPress environments: 1) Conduct regular integrity checks of core WordPress files, especially wp-settings.php, using trusted file integrity monitoring tools to detect unauthorized modifications. 2) Employ advanced malware scanners capable of detecting obfuscated code and unusual ZIP archive inclusions within PHP files. 3) Restrict file permissions to prevent unauthorized modifications to core files and disable PHP execution in directories where it is not necessary. 4) Use reputable sources for all themes and plugins, and maintain timely updates to WordPress core, themes, and plugins to reduce the attack surface. 5) Implement strong credential policies including multi-factor authentication for WordPress admin accounts and hosting control panels to prevent unauthorized access. 6) Deploy a Web Application Firewall (WAF) with specific rules to detect and block malicious payloads, suspicious file inclusions, and abnormal outbound connections to known malicious domains. 7) Monitor DNS and network traffic for connections to the identified malicious domains and block them at the network perimeter. 8) Regularly back up WordPress sites and test restoration procedures to ensure rapid recovery in case of compromise. 9) Educate web administrators and developers on secure coding practices and the risks of direct core file modifications. 10) Engage in threat intelligence sharing with relevant European cybersecurity communities to stay informed about emerging variants and indicators of compromise.