By rssfeeds-admin The technique, while not new, continues to evolve across multiple variants and remains highly prevalent in attacks targeting WordPress environments.
During September 2025 alone, Wordfence reported over 30,000 detections of such malware samples, all of which are now blocked by their premium and free malware signatures.
Variable Functions: A Dynamic Risk
The analyzed malware relies heavily on PHP’s “variable function” feature, which allows the name of a function to be stored in a variable and executed dynamically.
In legitimate programming, this mechanism can simplify flexible function calls; however, attackers exploit it to execute arbitrary commands.
For instance, a minimal malicious script can assign “eval” to one variable and “base64_decode” to another, chaining these calls to decode and execute remote payloads.
This behavior, seemingly straightforward to detect, becomes substantially more concealed when function names are built dynamically or ordered irregularly.
A simple example, an “eval(base64_decode())” sequence, is easily flagged, but by switching variable assignments or encoding the function names, attackers can bypass traditional signatures.
Cookie-Based Payload Delivery
Wordfence’s analysis highlights that these malware samples often replace user-input methods with cookies. In one case, the malware triggers execution only when the correct number of cookies, typically 11 or 22, is present, along with a specific marker, such as “array11.”
The script concatenates cookie values to reconstruct PHP function names such as “base64_decode” and “create_function,” then decodes Base64 payloads to create new executable functions on the fly.
Another sample checks whether particular cookies exist, even verifying numeric conditions (e.g., one cookie being divisible by 283) before decoding and unserializing another.
This design allows attackers to control execution solely via crafted browser requests without leaving clear command traces in logs or form submissions.
In the final analyzed variant, a compact ternary expression performs the same logic, executing a dynamically constructed function if specific cookies and counts align.
Detection and Defense
Wordfence’s Threat Intelligence team emphasizes that these scripts exhibit recognizable anomalies: dense, unindented code, variable function use, and cookie-based conditional checks uncommon in legitimate PHP development.
By focusing on behavioral markers such as concatenated function reconstruction and superglobal manipulation, their detection signatures can reliably identify such malware variants.
The company continues to encourage researchers and website owners to submit undetected samples to expand coverage.
Their layered defense, including Wordfence Premium, Wordfence Care, Response services, and CLI tools, collectively detects over 99% of known malicious variants leveraging these obfuscation techniques fortifying WordPress ecosystems against these elusive threats.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Novel Malware Strategy Employs Dynamic Functions and Cookies for Script Concealment appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.