Multistage WordPress Redirect Kit

Multistage WordPress Redirect Kit

Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites.

Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function “get_option”. In this post we will review this infection and its characteristics.

Symptoms of Infection

Our client first noticed that when accessing their website through Google search results their browser was caught in a redirect chain that eventually landed them at a bogus scam site. The redirect first lands the victim at


And subsequently redirects to


Finally landing them here:


Shortly after reproducing this redirect, the domain was taken offline after being blacklisted by Google:

They have since moved on to new questionable domains to host their scam:


These are all typical spammy/scam sites that us security analysts are quite accustomed to seeing. This by itself is not out of the ordinary for WordPress infections, but what was atypical about this case was how it was injected into the website.

Unauthorised Third Party Content Loading in Source

The first questionable thing that we noticed that seemed to be triggering the redirect were some files named…


…loading through JavaScript tags from other infected websites:

Let’s investigate how this redirect code is being loaded in these pages!

Randomly Named Variables and Arguments Use get_op ..

Support the originator by clicking the read the rest link below.