From a 7 KB file to a 13-year backdoor operation
4 hours ago
- #Malware Investigation
- #WordPress Security
- #Supply Chain Attack
- A WordPress plugin closure involving wp-advanced-math-captcha revealed a hidden .dat file containing a malicious dropper linking to SiteGuarding.
- Decoding the dropper exposed a backdoor named siteguarding_tools.php that registered infected sites and allowed remote access, with connections to other plugins like image-optimizer-x.
- DNS lookups showed cmsplughub.com shared infrastructure with SiteGuarding, linking anonymous accounts (@lulub5592, @dalielsam) to a single operator.
- Investigation uncovered a 13-year operation with 44 plugins across 19 accounts, including a 2020 sweep of 27 plugins and burner accounts in 2024-2026.
- Malware techniques evolved from inline backdoors to compressed binaries (.dat, .gzs, .key files) and persistence via wp-config.php injections.
- The backdoor provided remote file access, code execution, and self-recovery, with continuous development up to version 2.4 in 2026.
- SiteGuarding was linked to a dissolved Cyprus shell company, SafetyBis Ltd., with C2 domains like safetybis.com still active.
- Systematic sweeps of closed plugins identified additional burner accounts, highlighting the importance of broad analysis over luck-based detection.
- Indicators for compromise include specific files, MD5 hashes, domains, IPs, and account names, recommending site rebuilds over removal.