{
	"id": "7582b2bd-520c-4269-a290-c3bf2b6f4abe",
	"created_at": "2026-04-06T01:30:53.06701Z",
	"updated_at": "2026-04-10T03:20:59.139533Z",
	"deleted_at": null,
	"sha1_hash": "4eda387ad5d65d1c928aef9d43ed720ec391daf2",
	"title": "Malware exploiting XML-RPC vulnerability in WordPress | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 605979,
	"plain_text": "Malware exploiting XML-RPC vulnerability in WordPress | blog\r\nBy Avinash Kumar, Aditya Sharma\r\nPublished: 2020-09-16 · Archived: 2026-04-06 00:50:07 UTC\r\nWe have written a number of blogs about vulnerabilities within and attacks on sites built with WordPress. And,\r\nwhen you consider that 34 percent of all websites in the world are built with WordPress, it’s understandable that\r\ncybercriminals will continue to focus their attention on this popular platform.  \r\nOne of the most common attack vectors employed by these bad actors is to launch an XML-RPC attack. XML-RPC on WordPress, which is enabled by default, is actually an API that provides third-party applications and\r\nservices the ability to interact with WordPress sites, rather than through a browser. Attackers use this channel to\r\nestablish a remote connection to a WordPress site and make modifications without being directly logged in to your\r\nWordPress system. However, if a WordPress site didn’t disable XML-RPC, there is no limit to the number of login\r\nattempts that can be made by a hacker, meaning it is just a matter of time before a cybercriminal can gain access.\r\nRecently, the Zscaler ThreatLabZ team came across a scheme to attack WordPress sites where a malicious\r\nprogram gets a list of WordPress sites from a C\u0026C server which then are attacked leveraging the XML-RPC\r\npingback method to fingerprint the existing vulnerabilities on the listed WordPress sites.\r\nEven though we saw a payload used in this attack in our Zscaler cloud and also found a campaign of similar files\r\non VirusTotal, we haven’t found any specific spam templates used for this campaign. Additionally, the payloads\r\nappear to be new and had no specific attribution, so we have given a new name to this program based on its\r\nactivity—Win32.Backdoor.WPbrutebot.\r\nTechnical analysis\r\nIn our research, we found several samples pertaining to this campaign but we analyzed one sample here for\r\nbrevity and as an example.\r\nIn the sample set we worked on, we found that almost all samples used Microsoft-version information, but all of\r\nthem lack a legitimate Windows Digital Signature and left the company name as TODO, which implies that these\r\nfiles are being generated through a script and this section is still a work in progress.\r\nFigure 1: The common metadata used in most files in this campaign.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 1 of 10\n\nAnother feature we found was that InternalName was always a sequence of 2s. Unfortunately, we weren’t able to\r\nconclude if this was intentional or not.\r\nThe initial layer of the malware is for decoding the URIs used to make initial contact with the C\u0026C server. \r\nThe first section is unpacked as shown in Figure 2:\r\nFigure 2: The decryption loop of this program.\r\nThis decryption loop is a simple XOR decryption that sequentially runs from B5 to C7, which gives us\r\n/lk4238fh317/update.php.\r\nFigure 3 shows the debugger dump.\r\nFigure 3: The decrypted string of this program.\r\nNext, the domain is generated using another XOR-based decryption where the key goes from B5 to C0.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 2 of 10\n\nFigure 4: The decryption loop for this program.\r\nThe domain generated is k6239847[.]lib. This URL is then used with blockchain DNS.\r\nFigure 5: The DNS query.\r\nThe blockchain DNS URI is decrypted using a similar XOR loop as shown in Figure 6. The value compared\r\ndepends on the size of the blockchain DNS URI.\r\nFigure 6: The decryption loop.\r\nThese are first assembled in heap using RtlAllocateHeap.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 3 of 10\n\nFigure 7: The decrypted strings.\r\nThe code shown in Figure 8 is called several times to allocate heap to save decrypted strings that are used later to\r\nperform network activity or for creating files.\r\nFigure 8: The API call details.\r\nThis same code is reused to assemble user-agent strings, which are later used for making internet connections.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 4 of 10\n\nFigure 9: The user-agents employed in this attack.\r\nThis is then used to create a DNS request for the blockchain DNS server.\r\nFigure 10: The concatenated URL.\r\nThe DNS request generated produces a C\u0026C IP of 217.8.117[.]48, which can be confirmed online at\r\nexplorer.emercoin[.]com/nvs/dns.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 5 of 10\n\nFigure 11: The domains found at emercoin.com.\r\nThe segment of a URL created during the first decryption loop (as shown above) is then used with the IP address\r\nto contact the C\u0026C. The URL created is 217.8.117[.]48/lk4238fh317/update.\r\nThe C\u0026C then replies back with 217.8.117[.]48/j537djjlhg763/svchst.exe, which is the downloaded payload. The\r\npayload is downloaded at C:\\Users\\User-Name\\AppData\\Roaming\\svchst.exe.\r\nFigure 12: The program downloading an updated version of itself.\r\nThe downloaded sample (MD5:86374F27C1A915D970BE3103D22512B9) is an updated version of the parent\r\nsample, which downloads itself to ensure that the latest version of the malicious program is running on the system.\r\nThis sample also performs a DNS query on k6239847[.]lib. The string is obfuscated by breaking the string in two\r\nparts—k623 and 9847.lib, which are concatenated in memory. \r\nThis time, a command is run using cmd.exe /C ping 1.1.1.1 -n 1 -w., where -n means the number of echo requests\r\nto send and -w is the timeout in milliseconds to wait for each reply. 1.1.1.1 is popular DNS service by Cloudflare.  \r\nThe full command is cmd.exe /C ping 1.1.1.1 -n 1 -w -n 1 -w3000 \u003e Nul \u0026 Del /f /q \\\"%s.\r\nThe program then enumerates system information including information such as user name, processor\r\narchitecture, and more.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 6 of 10\n\nFigure 13: The algorithm to initiate the /xmlrpc.php attack.\r\nFigure 14: The attack vectors found in the file.\r\nHere, the malicious program is using wp.getUsersBlogs to execute a brute force attack via the\r\n“wp.getUsersBlogs” method of xmlrpc.php where an attacker is actually doing a reverse IP lookup for the IPs\r\nfetched from the C\u0026C and is looking for all the available methods on the corresponding DNS. Once found, it\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 7 of 10\n\nattempts to gain the login via cookie-based authentication by logging into WordPress using cURL, authenticating\r\nthe server (which ran the cURL script) and providing the username/password to the login page of the desired\r\nWordPress site. \r\nHere is a redacted list of a few WordPress sites the attacker is trying to attack leveraging this malware payload:\r\nFigure 15: The list of WordPress sites targeted for a brute force attack.\r\nWe then went on hunting for similar samples. We were able to unearth more samples connecting to the same\r\ndomains (k6239847.lib) and IP address (217.8.117.48). The samples we found had similar activity but used a\r\n.space TLD domain as one of its C\u0026C.\r\nCloud Sandbox detection\r\nThe malware payload was successfully detected and blocked by the Zscaler Cloud Sandbox as seen in the Figure\r\n16.\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 8 of 10\n\nFigure 16: The Zscaler Cloud Sandbox successfully detected the malware.\r\nAdvanced Threat Signature name:\r\nWin32.Backdoor.Wpbrutebot\r\nConclusion\r\nDue to its popularity, WordPress is a common target for cyberattacks. As such, WordPress admins need to be on\r\nalert to reports of newly found vulnerabilities and attacks. In addition, WordPress admin should keep the XML-RPC option disabled and refrain from using logins from third-party applications.\r\nZscaler continues to protect our customers from such attacks and detects these malicious programs in our Cloud\r\nSandbox in real time.\r\nMITRE ATT\u0026CK TTP Mapping\r\nT1212 Credential Access\r\nT1110 Brute Force\r\nT1556 Modify Authentication Process\r\nT1497 Sandbox Evasion\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 9 of 10\n\nT1055 Process Injection\r\nT1003 OS Credential Dumping\r\nT1491 Defacement\r\nIOCs\r\nHashes:\r\n2ed7662ec8e2022d9cebec3a8ebaf838\r\nc09cf4312167fa9683d8e8733004b7e6\r\n86374f27c1a915d970be3103d22512b9\r\nd88a7fca98e89aaf593163b787165766\r\n03caf1cf96f95b82536fc8b7d94c5a61\r\n74f5107acd2e51dc407253f15d718be3\r\na54fa899a524f0cd34ae90f9820b41e0\r\nIPs:\r\n207.148.83[.]241\r\n5.132.191[.]104\r\n66.70.228[.]164\r\n \r\nSource: https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nhttps://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites"
	],
	"report_names": [
		"malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775439053,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4eda387ad5d65d1c928aef9d43ed720ec391daf2.pdf",
		"text": "https://archive.orkl.eu/4eda387ad5d65d1c928aef9d43ed720ec391daf2.txt",
		"img": "https://archive.orkl.eu/4eda387ad5d65d1c928aef9d43ed720ec391daf2.jpg"
	}
}