A new analysis by Wordfence security researchers has revealed a recurring malware strain that uses PHP’s variable function feature and browser cookies for advanced obfuscation.
The malware has been observed in multiple evolving variants and continues to affect WordPress environments worldwide.
Rising Activity Detected in September 2025
More than 30,000 malware samples of this type were detected and blocked by Wordfence during September 2025.
All known variants are now covered by both premium and free malware signatures provided by Wordfence.
Variable Functions Exploited
PHP’s variable function capability, which allows function names to be stored in variables and executed dynamically, has been heavily abused by attackers.
This technique, originally meant for flexible coding, is being used to execute arbitrary commands on compromised sites.
For example, malicious code may assign “eval” and “base64_decode” to variables, chaining them together to download and execute remote payloads.
When these function names are dynamically built or encoded, detection becomes significantly harder.
Simple patterns like eval(base64_decode()) are easily caught, but reordered or encoded calls can bypass traditional signature scans.
Cookie-Based Payloads
The malware also replaces typical user-input triggers with browser cookies.
In several cases, execution occurs only when a specific number of cookies—often 11 or 22—are present, along with a unique marker such as “array11.”
Cookie values are concatenated to rebuild PHP function names like “base64_decode” or “create_function.”
The payload is then decoded and executed on the server.
Some variants even check mathematical conditions, such as one cookie being divisible by 283, before activating.
Because all commands are controlled through cookies, attackers can trigger code execution without leaving visible traces in logs or form submissions.
Key Detection Traits
According to Wordfence, these scripts can be identified by several behavioral clues:
- Unusually dense and unformatted PHP code
- Use of variable functions
- Conditional checks based on cookies or superglobals
By focusing on these traits rather than static signatures, Wordfence’s malware engine can detect even heavily obfuscated variants.
Ongoing Protection Efforts
Wordfence continues to invite researchers and users to submit undetected samples to expand their coverage.
Their layered defense system—including Wordfence Premium, Care, Response, and CLI tools—currently detects over 99% of known malicious variants using these obfuscation tactics.
The company emphasizes that vigilance and updated security plugins remain essential to keeping WordPress sites protected against evolving PHP malware threats.
Leave A Comment