(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Malvertising Campaign Hides in Plain Sight on WordPress Websites

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Malvertising Campaign Hides in Plain Sight on WordPress Websites================================================================![](https://secure.gravatar.com/avatar/3bb7fb42c6bf04c758d570c2f6bb217266c127e77766dc9d8e6754f15cdd5867?s=60&d=mm&r=g) [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)* October 3, 2025 ![Malvertising Campaign Hides in Plain Sight on WordPress Websites](https://blog.sucuri.net/wp-content/uploads/2025/10/Malvertising-Campaign-Hides-in-Plain-Sight-on-WordPress-Websites-820×385.png) Recently, one of our customers noticed suspicious JavaScript loading across their WordPress website. Visitors were being served third-party scripts that the site owner never installed.After investigation, we discovered the infection originated from a malicious modification in the active theme’s **functions.php** file. This injected PHP code silently fetched external JavaScript from attacker-controlled domains and inserted it into the site’s front-end.Behind the Breach—————–We found a suspicious script loading on the client’s website. When we viewed the page source, we found the following:![behind the breach](https://blog.sucuri.net/wp-content/uploads/2025/10/behind-the-breach.png)That single line was our first clue. We started digging and found that this JavaScript file was loading on at least [17 websites](https://publicwww.com/websites/%22porsasystem.com%22/) at the time of our investigation. A quick search on VirusTotal confirmed our suspicions, with the domain [blocklisted by 17 security vendors](https://www.virustotal.com/gui/url/115e1660eaa1990734e1283f14f949a3a75b942cf10458ec66eb3c83b8c8cbf9?nocache=1).![VirusTotal score](https://blog.sucuri.net/wp-content/uploads/2025/10/VirusTotal-score.png)After a thorough scan of the site’s files, we found a genuine-looking block of code at the bottom of the theme’s functions.php file. This small, seemingly harmless function was the entry point for the entire malicious advertising campaign.Indicators of Compromise (IoCs)——————————-* **brazilc** -[**.** -]**com*** **porsasystem** -[**.** -]**com**Dissecting the Malware———————-### Remote Loader in functions.phpAt the bottom of the theme’s functions.php file, we found this function `ti_custom_javascript()`. At first glance, it looks harmless.![dissecting the malware](https://blog.sucuri.net/wp-content/uploads/2025/10/dissecting-the-malware.png)The injected function runs on every page load through `wp_head`. It contacts a remote URL:The initial PHP code is just the key, the real threat lies in the content it fetches.### Malicious ResponseThe code establishes a `POST` connection to the Command and Control (C-&C) server at **hxxps://brazilc** -[**.** -]**com/ads** -[**.** -]**php** and then uses `echo` to print the response directly into the “ of the HTML document.When we manually requested the remote endpoint, we received the following payload:![malicious response](https://blog.sucuri.net/wp-content/uploads/2025/10/malicious-response.png)This dynamic payload executes a two-pronged attack:1. The first is that the script loading from **porsasystem** -[**.** -]**com/6m9x** -[**.** -]**js** is the main engine for the redirects and pop-ups reported by the client. This domain functions as a traffic distributor, loading further malicious scripts responsible for actions like forced redirects.2. The second is that the remaining, lengthy JavaScript creates a hidden, 1×1 pixel iframe. Inside this iframe, it injects code that mimics a legitimate Cloudflare action (cdn-cgi/challenge-platform/scripts/jsd/main.js). This is a security evasion technique used by attackers to either bypass security tools or the secure code execution.The **data-cfasync=’false’** and **async** attributes are used to avoid **Cloudflare Rocket Loader** interference and to load the script asynchronously so it does not block page rendering.Why is this dangerous?———————-Site visitors get injected content that was drive-by malware like fake CloudFlare verification.Remediation Steps—————–There are a number of preventative measures that should be taken on all websites.1. Keep your plugins, themes, and website software up-to-date. Always patch to the latest version to help mitigate risk known [software vulnerabilities](https://blog.sucuri.net/category/vulnerability-disclosure). Website visitors should be sure to keep their browser and operating system up to date as well.2. Regularly scan for backdoors and malware. That means scanning at the [server and client level](https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monitoring.html) to identify any malicious injections, SEO spam, or backdoors that may be lurking on your site. Our [Website Security plans](https://sucuri.net/lp/sem/ga-website-security-platform/) include a [server-side scanner](https://docs.sucuri.net/website-monitoring/server-side-scanner/) that runs multiple times per day to check for changed files and injected malware.3. Enforce [unique passwords](https://blog.sucuri.net/2022/08/how-to-create-secure-passwords-for-your-website.html) for all of your accounts. That includes credentials for sFTP, database, cPanel, and admin users.4. Monitor your logs for indicators of compromise. Regularly check for unusual or suspicious behavior and consider using a [file integrity monitoring](https://wordpress.org/plugins/sucuri-scanner/) system on your website.5. Get a web application firewall (WAF). Firewalls can help mitigate bad bots, [prevent brute force attacks,](https://sucuri.net/guides/what-is-brute-force-attack/) and detect attacks in your environment, which are features the Sucuri firewall provides.Closing the chapter——————-This infection shows how attackers abuse small theme modifications to gain control of a website’s front-end. A few extra lines in functions.php were enough to load malicious JavaScript from external domains and compromise every visitor session. That too, looked genuine.Cleaning the site requires removing injected code, checking for other backdoors, and hardening the environment against reinfection. Regular updates, strong credentials, and monitoring remain the best defenses against these types of WordPress malware campaigns.If you believe your site has been compromised, we can help! Reach out to our [support team](https://sucuri.net/live-chat/) for assistance and we can get the malware cleaned up for you. ![](https://secure.gravatar.com/avatar/3bb7fb42c6bf04c758d570c2f6bb217266c127e77766dc9d8e6754f15cdd5867?s=120&d=mm&r=g) ##### [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)Puja Srivastava is a Security Analyst with a passion for fighting new and undetected malware threats. With over 7 years of experience in the field of malware research and security, Puja has honed her skills in detecting, monitoring, and cleaning malware from websites. Her responsibilities include website malware remediation, training, cross-training and mentoring new recruits and analysts from other departments, and handling escalations. Outside of work, Puja enjoys exploring new places and cuisines, experimenting with new recipes in the kitchen, and playing chess.##### Related Tags* [Malvertising](https://blog.sucuri.net/tag/malvertising),* [Malware](https://blog.sucuri.net/tag/malware),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![From Web3 Drainer to Distributed WordPress Bruteforce Attack](https://blog.sucuri.net/wp-content/uploads/2024/03/Blog-Post-WordPress-Brute-Force-Distributed-Attack-390×183.png) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html) [From Web3 Drainer to Distributed WordPress Brute Force Attack](https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html)——————————————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/292c42da0d9f929a9405e6ce269f101cc888f5c5cbcf8006e131c9bed042c80d?s=20&d=mm&r=g)Denis Sinegubko* March 5, 2024 Two weeks ago we discussed a new development in website hacks: Web3 crypto wallet drainers. We’ve been closely following the most significant variant which injects… [Read the Post](https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html) ![Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network](https://blog.sucuri.net/wp-content/uploads/2023/01/BlogPost_Feature-Image_1490x700_Massive-WordPress-Malware-Campaign-390×183.png) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html) [Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network](https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html)———————————————————————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/292c42da0d9f929a9405e6ce269f101cc888f5c5cbcf8006e131c9bed042c80d?s=20&d=mm&r=g)Denis Sinegubko* January 24, 2023 Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often… [Read the Post](https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers2-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/08/user-adder-backdoor.html) [User adder backdoor](https://blog.sucuri.net/2019/08/user-adder-backdoor.html)——————————————————————————-* ![](https://secure.gravatar.com/avatar/8510ace8bb7c5cbee9ae2b972ebfce56edaa1c7b63e58ab3b725349c2c73e66d?s=20&d=mm&r=g)Cesar Anjos* August 5, 2019 As we’ve seen many times before, there are a variety of backdoors that can be planted on a website. Post-compromise, it’s almost mandatory to review… [Read the Post](https://blog.sucuri.net/2019/08/user-adder-backdoor.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers2-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2020/04/wordpress-admin-login-stealer.html) [WordPress Admin Login Stealer](https://blog.sucuri.net/2020/04/wordpress-admin-login-stealer.html)—————————————————————————————————* ![](https://secure.gravatar.com/avatar/108fef16f8912ede77125c7646b2cbc2f38b7ad3c2912f7a0b8770570271134c?s=20&d=mm&r=g)Krasimir Konov* April 27, 2020 During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file… [Read the Post](https://blog.sucuri.net/2020/04/wordpress-admin-login-stealer.html) ![Sucuri Vulnerability Roundup – August 2025](https://blog.sucuri.net/wp-content/uploads/2025/09/August-2025-390×183.jpg) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html) [Vulnerability -& Patch Roundup — August 2025](https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html)——————————————————————————————————————————* ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-20×20.png)Sucuri Malware Research Team* August 31, 2025 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html) ![Understanding & Stopping Malicious Redirects](https://blog.sucuri.net/wp-content/uploads/2020/04/20-malicious_redirects_blog_image-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/05/malicious-redirects.html) [Understanding -& Stopping Malicious Redirects](https://blog.sucuri.net/2020/05/malicious-redirects.html)———————————————————————————————————* ![](https://secure.gravatar.com/avatar/c0f281a14b301a2b2ce284569fb81a1bf72f2dced95b15c387258ea2acadbdab?s=20&d=mm&r=g)Art Martori* May 22, 2020 Many website owners don’t know they’re infected with malicious redirects until they start getting calls from wary customers. Instead of the site they were expecting,… [Read the Post](https://blog.sucuri.net/2020/05/malicious-redirects.html) ![](https://blog.sucuri.net/wp-content/uploads/2020/04/image3-390×183.png) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomware.html) [Analyzing -& Decrypting L4NC34’s Simple Ransomware](https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomware.html)—————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/8510ace8bb7c5cbee9ae2b972ebfce56edaa1c7b63e58ab3b725349c2c73e66d?s=20&d=mm&r=g)Cesar Anjos* April 6, 2020 We’re constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact… [Read the Post](https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomware.html) ![Phishing](https://blog.sucuri.net/wp-content/uploads/2022/07/BlogPost_FeatureImage_1490x700_Phishing-DHL-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2025/08/what-is-phishing.html) [What is Phishing?](https://blog.sucuri.net/2025/08/what-is-phishing.html)————————————————————————–* ![](https://secure.gravatar.com/avatar/22eda79f08683f82b82a797fc400cbda587ebda037f425079aa9106bef253c4d?s=20&d=mm&r=g)Juliana Lewis* August 26, 2025 Phishing is a serious threat to any industry. We have seen this topic appear in the news more each day. You might have already received a… [Read the Post](https://blog.sucuri.net/2025/08/what-is-phishing.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/04/phishing-with-a-covid-19-lure.html) [Phishing with a COVID-19 Lure](https://blog.sucuri.net/2020/04/phishing-with-a-covid-19-lure.html)—————————————————————————————————* ![](https://secure.gravatar.com/avatar/1c366df979e3ab3b3f9add08268c19141d3202ba8b885d1fcbfd106e7f2f7aba?s=20&d=mm&r=g)Luke Leal* April 6, 2020 It’s not uncommon to see criminals use disasters or current events to enhance their social engineering tactics, and the recent COVID-19 pandemic is no different…. [Read the Post](https://blog.sucuri.net/2020/04/phishing-with-a-covid-19-lure.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2017/04/websockets-viagra-and-fake-cloudflare-cdn.html) [WebSockets, Viagra and Fake CloudFlare CDN](https://blog.sucuri.net/2017/04/websockets-viagra-and-fake-cloudflare-cdn.html)—————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/423a016fd850615125dde80911c97a577baf4990be9250b35c71085b651a6511?s=20&d=mm&r=g)Fernando Barbosa* April 3, 2017 Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners… [Read the Post](https://blog.sucuri.net/2017/04/websockets-viagra-and-fake-cloudflare-cdn.html)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Denis

Blog: Sucuri

Phishing

Impair Defenses: Disable or Modify System Firewall

Impair Defenses

Associated Indicators:
brazilc.com

porsasystem.com

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us