Malware Using Variable Functions and Cookies For Obfuscation
Category:Threat Alerts / Malware & Ransomware
Wordfence details multiple PHP malware samples that abuse variable functions and cookie checks to obfuscate execution and bypass signature-based detection. By reconstructing function names at runtime (e.g., base64_decode → create_function) and gating execution on crafted cookies, the payload enables remote code execution and persistence on WordPress/PHP sites. The post outlines how short, dense, and heavily obfuscated snippets complicate static analysis and recommends behavior-oriented detections.
CORTEX Protocol Intelligence Assessment
Business Impact: Compromised CMS sites risk SEO poisoning, credential theft, and malicious redirects impacting brand trust and revenue. Technical Context: Obfuscation chains and cookie gates frustrate static scanners; defenders need behavioral rules and server-side integrity monitoring.
Strategic Intelligence Guidance
- Harden PHP environments with disable_functions and strict file permissions.
- Deploy WAF/EDR detections for eval/base64 patterns and cookie-gated code paths.
- Continuously diff server-side code and scan uploads with YARA/heuristics.
- Rotate credentials and audit admin plugins/themes for tampering.
Vendors
Threats
Targets
Intelligence Source: Malware Using Variable Functions and Cookies For Obfuscation | Oct 21, 2025