When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Hackers have been observed installing a brand new piece ofmalwareon vulnerable WordPress sites.
Subsequent investigation showed that more than 39,000 websites were infected with the same malware.
Sign1 also has a couple of methods to avoid being spotted.
For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes.
That way, the malware ensures the domains are always fresh and not added to any blocklists.
Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses.
Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult.
Every time the developers release a new version, infections spike.
The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites.
