A significant threat targeting WordPress sites is now actively distributing malicious software to unsuspecting visitors. This campaign utilizes a highly concealed PHP backdoor embedded within compromised websites. Unlike typical website defacements, this attack has a far more insidious goal: delivering a Windows-specific Trojan directly to the computers of anyone browsing the infected site.
The PHP backdoor acts as a critical initial point of compromise. It is designed to evade detection, often disguising itself within seemingly legitimate files or using complex obfuscation techniques. Once established, this backdoor provides attackers with persistent access to the website.
The true danger lies in the subsequent payload. The backdoor is specifically programmed to serve a malicious executable file when visitors access certain pages or interact with the site. This file is a variant of an information-stealing Trojan, known for its ability to siphon sensitive data from the victim’s machine. This includes saved browser credentials, financial details, cryptocurrency wallet information, and other valuable personal and business data.
Essentially, attackers are turning compromised WordPress sites into watering holes, exploiting the site’s audience to spread malware. Visitors simply browsing an infected site are at risk of downloading and executing the Trojan without their knowledge.
Protecting your site and your visitors requires vigilance. Website administrators must prioritize website security, ensuring all themes, plugins, and the WordPress core are kept up-to-date to patch known vulnerabilities. Implementing a robust security solution capable of scanning for backdoors, identifying malicious file modifications, and monitoring outgoing connections is crucial. Regular backups and security audits are also essential steps in preventing and recovering from such sophisticated attacks. Identifying and removing the stealthy PHP backdoor is the first step to stopping the distribution of the Windows Trojan and securing the site against further compromise.
Source: https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-trojan-via-php-backdoor.html
