Stealthworker Malware Used To Hijack WordPress Sites

Stealthworker Malware Used To Hijack WordPress Sites article image

The Stealthworker malware has been detected as the primary weapon used in a worldwide attack taking down WordPress sites. It is used by an unknown hacking group is using this virus to take down blogs using it. An analysis of how the infiltration strategy is planned reveals that the malware has been integrated into the infection plan.

The Stealthworker Malware Used Once Against WordPress

One of the newest large-scale attacks used against WordPress sites appears to be using the Stealthworker malware as the main weapon. An unknown hacking group is using the threat as part of their attack. The discovery was made as part of an ongoing honeypot capturing network. This particular virus is written in the Golang programming language and it can be used to launch brute force attacks against major web services and platforms including the following: cPanel/WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostreSQL, Brixt, SSH and the FTP service. This malware can also be configured to look for administrator and backup login paths.

Through the honeypot operations, the security researchers were able to detect how the malware has broken into the target systems. The victim test systems used a free Alternate Lite WordPress theme installed on the test blog. Using the brute force attacks the hackers were able to replace the customizer.php script using a file upload command.

When the hacker-made script is launched by the victims. The dangerous uploader script will connect the installation to a hacker-controlled VPS server from where a second script will be retrieved and run. It will download a binary executive which is the main engine of the malware. The first action that is run will be the checking of the server architecture — whether it is 32 or 64-bit. The next action will be to kill processes that contain the stealth string.


Also, Read 130M Attacks Try to Steal Database Credentials from 1.3M WordPress Sites


While the number of commands and malicious sequence is limited at this time we expect that the hackers will change it in the near future. It is very possible that the made attacks are simply test runs indicating that the malware is fully functional. The future releases can be updated to support the following actions:

  • Additional Malware Code Delivery
  • Information Theft
  • Sabotage
  • Site Defacement

In order to stay safe always update your site installation along with any installed extra functionality such as themes and plugins.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.