Hackers Hide Malware in WordPress ZIP Files to Hijack Users

Hackers hide malware in WordPress websites using a novel ZIP-based attack that redirects users to harmful domains, cybersecurity researchers revealed. The campaign, first detected in July 2025, uses obfuscated PHP code to evade detection and persist across site updates. Attackers modify the wp-settings.php file to inject code that executes hidden payloads from a ZIP archive named win.zip.

The malware executes sophisticated search engine poisoning tactics, injecting unauthorized content and manipulating sitemaps to boost the visibility of malicious sites. To avoid detection, hackers hide malware in WordPress environments by distinguishing between bots and human users, showing benign content to crawlers while redirecting real visitors.

Sucuri analysts uncovered the attack after investigating repeated redirect issues. The malware includes code that dynamically selects different Command and Control servers based on user behavior. These tactics enhance resilience and enable targeted delivery of malicious content.

Read the full article for complete details:

Threat Actors Weaponize WordPress Websites to Redirect Visitors to Malicious Websites