A new and dangerous malware campaign has been found targeting WordPress websites. It is one of the most stealthy attacks researchers have seen so far. This malware silently delivers a Windows Trojan to visitors without showing any sign that something is wrong.

Researchers at Sucuri discovered the attack. They were checking what looked like a normal WordPress hack, but the truth turned out to be much more serious.

This malware does not show redirects, fake pop-ups, or strange behavior on the site. Everything looks clean from the outside. But behind the scenes, it uses a powerful PHP backdoor system that secretly drops a Trojan onto visitors’ Windows systems.

How it works

The main part of the malware hides in the header.php file. This file acts as the control center. It checks who is visiting and only delivers the malware once to each IP address. It also blocks known analysis tools and security bots.

When a new victim visits, the malware creates a Windows batch script. This script uses PowerShell to download a hidden ZIP file that contains the actual malware file — a trojan called client32.exe.

This file gets saved in the %APPDATA% folder on the victim’s computer. The malware then makes changes to the Windows Registry so that client32.exe runs every time the computer starts. This ensures it stays active even after a reboot.

Once installed, the Trojan connects to a command and control server (IP: 5.252.178.123) on port 443. This gives attackers remote access to the system, like in many advanced persistent threats (APT).

The malware even tries to cover its tracks by deleting the download traces, but it keeps the final Trojan file in place so it can keep running.

Why this matters

This campaign is a big warning sign. WordPress is the world’s most popular website platform and powers around 43–44% of all websites globally. If you use WordPress and your site is infected, it may not be just your site that is at risk; your visitors are in danger too. So, you need to learn how to keep your WordPress website secure.

Also, this attack shows how signature-based antivirus tools are no longer enough. There were no obvious signs, and normal scans would likely miss it.

If you manage a WordPress website, check for suspicious code in your theme files, especially in header.php. And always keep WordPress, plugins, and themes up to date. If possible, use a firewall or malware scanner that can detect hidden threats like this.