A sophisticated new malware campaign is targeting WordPress sites with an ingenious obfuscation technique that’s proving difficult to detect—and it’s already hit over 30,000 sites in a single month.
Introduction: The Perfect Storm
WordPress powers over 43% of all websites on the internet, making it an irresistible target for cybercriminals. But here’s the sobering reality: WordPress sites face over 90,978 attacks per minute, and more than 500,000 websites were compromised due to security issues in the past year alone. While we’ve grown accustomed to seeing malware evolution, the latest campaign discovered by Wordfence researchers represents a genuinely clever leap forward in obfuscation techniques – one that has security professionals taking notice.
This isn’t just another malware variant. It’s a masterclass in deception that fragments malicious code across multiple HTTP cookies, reassembles it dynamically at runtime, and requires precisely crafted requests to activate. The malware was detected over 30,000 times in September 2025 alone, demonstrating both its widespread deployment and alarming effectiveness against conventional security measures.
The Attack: Hide and Seek with Cookies
Traditional malware typically embeds complete malicious payloads within files – making them relatively straightforward to detect with signature-based scanning. But this new campaign takes a fundamentally different approach that exploits a feature of PHP that most developers use every day: variable functions.
Here’s how it works:
Stage 1: The Cookie Check
The malware begins by validating that exactly 11 cookies are present in the HTTP request, with one containing the specific string “array11”. Think of this as a secret handshake – without all the right cookies in place, the malware remains dormant, looking like innocent obfuscated code that triggers no alarms.
Stage 2: Dynamic Function Reconstruction
This is where it gets clever. The script concatenates cookie values to reconstruct function names, such as combining cookies containing “base64_” and “decode” to form the complete base64_decode function name.
The execution chain looks something like this:
php
$locale[79] = $locale[79] . $locale[94]; // Combines cookie fragments
$locale[23] = $locale[79]($locale[23]); // Executes the reconstructed functionPHP’s variable function capability means that appending parentheses to any variable causes PHP to execute a function matching that variable’s string value. It’s a legitimate feature being weaponized.
Stage 3: Code Execution
The malware subsequently uses create_function with attacker-controlled parameters to generate arbitrary executable code. Later variants have evolved even further, employing string replacement techniques that transform obfuscated strings like “basx649fxcofx” into “base64_decode” by replacing specific characters.
This multi-layered approach defeats pattern-matching detection while maintaining full remote code execution capabilities through serialized payloads delivered via cookie parameters.
Why This Matters: A Broader Security Crisis
To understand the significance of this attack, we need to look at the bigger picture of WordPress security in 2025.
The Vulnerability Explosion
7,966 new vulnerabilities were reported in 2024, representing a 34% increase from 2023, with 96% found in plugins. Even more concerning, more than 43% of these new vulnerabilities required no authentication to exploit—meaning attackers don’t even need to crack passwords first.
Plugin Hell
WordPress core, plugin, and theme vulnerabilities account for nearly half of all malware infections, with the rest tied to poor security hygiene like weak passwords and lack of two-factor authentication. The plugin ecosystem, while powerful, has become WordPress’s Achilles’ heel.
Attack Sophistication Is Rising
69% of WordPress infections now involve malware injections and malicious redirects, while over 70% of malware attacks target specific websites rather than random targets. Attackers are getting smarter, more targeted, and increasingly patient—willing to hide dormant backdoors that wait for the perfect moment to activate.
My Take: Why This Attack Is So Dangerous
Having analyzed countless malware campaigns over the years, this cookie-based obfuscation technique stands out for several reasons:
1. It Exploits Trust
Cookies are fundamental to how the modern web works. Every website uses them. Security tools typically don’t scrutinize cookie contents with the same intensity they apply to file uploads or POST data. This attack exploits that inherent trust, hiding in plain sight among legitimate session cookies, shopping cart data, and tracking pixels.
2. Static Analysis Is Nearly Useless
Traditional malware scanners look for known malicious patterns in code. But when the malicious code doesn’t exist in a complete form until runtime, and only assembles when specific cookies are present, static analysis hits a brick wall. Analysis revealed that individual variants share core characteristics including dense obfuscation, excessive array lookups, and deliberate cookie validation checks that act as authentication mechanisms for attackers.
It’s like trying to identify a bomb by examining its individual components separately—the battery, wiring, and explosive material all look innocuous until they’re assembled.
3. It Prevents Security Through Obscurity
Even other malicious actors who discover the backdoor can’t use it without knowing the exact cookie structure. This conditional execution serves dual purposes: evading automated security scans that may trigger the script without proper cookies, and preventing unauthorized access by other malicious actors who discover the backdoor. It’s malware with its own access control system.
4. It’s Scalable
Wordfence researchers added these samples to their threat intelligence database containing over 4.4 million unique malicious signatures—and these are just the variants they’ve identified. The technique is easily modifiable, meaning attackers can generate virtually unlimited variations that each look different to signature-based detection.
5. The AI Factor
Here’s something that keeps me up at night: AI agents are capable of exploiting vulnerabilities and generating exploitation scripts, significantly reducing the time it takes to weaponize a vulnerability. We’re entering an era where AI can create polymorphic malware that stays undetected by most pattern-based scanners. This cookie-based technique is perfect for AI-assisted attacks—easy to programmatically modify and test against various security tools.
The Bigger Picture: WordPress Is Under Siege
This attack doesn’t exist in isolation. It’s part of a larger trend that’s troubling:
- The Balada Injector accounts for 21% of malware injections, while Sign1 malware has affected 57,000 sites
- DDoS attacks have grown by 31%, with 44,000 daily attacks overwhelming website servers
- 52% of sites have experienced significant business disruption from ransomware, and 83% of attacked sites have paid the ransom
Perhaps most concerning: only 38% of WordPress websites are running the latest version of the software, and 81% of WordPress vulnerabilities happen because of weak or stolen passwords.
What Can Be Done?
The good news? While this attack is sophisticated, it’s not unstoppable. Here’s what needs to happen:
For Website Owners
- Layer Your Security: Wordfence blocked 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020, with a 99.6% success rate. But no single tool is enough—you need firewalls, malware scanners, and behavioral analysis.
- Update Everything: 61% of all infected WordPress websites feature an out-of-date version. Yes, updates can break things. But you know what really breaks things? Getting hacked.
- Implement Proper Authentication: Two-factor authentication, strong unique passwords, and limiting login attempts should be non-negotiable. 75% of identity attacks rely on phishing and social engineering rather than malware.
- Monitor Actively: Behavioral analysis can catch what signature-based scanning misses. Look for unusual outbound connections, suspicious file modifications, and abnormal cookie patterns.
For the WordPress Ecosystem
- Better Plugin Vetting: 96% of vulnerabilities are found in plugins, with only 4% in themes. The plugin approval process needs to be more rigorous, especially with AI-generated code entering the ecosystem.
- Application-Level Firewalls: Generic WAF solutions deployed via DNS/CDN don’t have visibility into application components, which plugins are installed, or user authentication status. We need smarter firewalls that understand WordPress architecture.
- Supply Chain Security: With the upcoming European Union’s Cyber Resilience Act mandating vulnerability disclosure by September 2026, the WordPress community needs to get ahead of compliance requirements.
Conclusion: The Arms Race Continues
This cookie-based malware campaign is a reminder that cybersecurity is fundamentally an arms race. Defenders build better walls; attackers dig new tunnels. We patch vulnerabilities; they find creative ways to exploit trust.
What makes this particular attack noteworthy isn’t just its technical cleverness—it’s what it represents. We’re entering an era where malware can hide within the normal operation of web applications, where AI assists in creating polymorphic variants, and where the sheer volume of attacks (90,978 per minute against WordPress alone) makes manual review impossible.
The 30,000+ detections in a single month should be a wake-up call. This technique works. It’s spreading. And it’s only going to get more sophisticated.
For the 43% of the web running on WordPress, the message is clear: security can’t be an afterthought. It needs to be baked into every decision—from which plugins you install, to how you configure your hosting, to how quickly you apply updates.
Because in the time it took you to read this article, WordPress sites were attacked approximately 4.5 million times.
The cookie monster isn’t coming. It’s already here.
Key Takeaways
- A new malware campaign uses PHP variable functions and cookie-based obfuscation to evade detection
- Over 30,000 detections occurred in September 2025 alone
- The technique fragments malicious code across multiple cookies, reassembling only when specific conditions are met
- Traditional static analysis and signature-based scanning struggle against this approach
- WordPress faces over 90,978 attacks per minute, with 7,966 new vulnerabilities discovered in 2024
- Only 38% of WordPress sites run the latest software version, creating a massive attack surface
- Multi-layered security, active monitoring, and aggressive updating are essential defenses