Stealthy WordPress Malware Uncovered: Multi-Stage RAT Injects via Header.php, Hides Traces
Cybercriminals have launched a new wave of attacks targeting WordPress websites—so meticulously concealed that the campaign was only recently uncovered. Security experts at Sucuri have discovered that compromised websites are being used as silent vectors for distributing malware designed to infiltrate Windows-based systems.
The scheme, though deceptively simple, is cloaked in sophistication. On the surface, the affected websites appear to function normally, displaying no overt signs of compromise. Yet behind the scenes, a covert download mechanism initiates the deployment of malicious software. The harmful code is embedded deep within the site’s structure, evading detection by most standard security tools.
The infection ultimately results in the download and execution of a trojan known as client32.exe—a remote-access malware that grants attackers control over the victim’s system. Once installed, the trojan conceals itself within the system and can remain undetected for extended periods. It allows threat actors to manipulate the infected device, harvest data, or leverage it for further attacks.
The trojan poses an even greater threat due to its use of legitimate Windows utilities for propagation and persistence, making it particularly challenging for antivirus solutions to detect. Moreover, websites involved in the campaign maintain visit logs to avoid reinfecting prior victims—a tactic that enhances the stealth and efficiency of the attackers.
Incidents like these underscore the critical importance of timely updates to website platforms and server-side software. Site owners are urged to employ additional security measures such as Web Application Firewalls (WAFs). End users, too, should exercise caution when downloading files from any website, regardless of how trustworthy it appears, and ensure their antivirus tools and system updates are consistently maintained.
This campaign serves as yet another reminder that cyber threats are becoming increasingly sophisticated, targeting not only websites but also the endpoint devices of everyday users.