Comment by dwd

I had Gemini help me pull apart some encrypted malware packages I removed from a WordPress site recently and identify who it was linked to, and what it was doing.

It was quite instructive on how all the various pieces of code protected each other for persistence, including removing competing malware. From analysing the code it alerted me to the hidden backup in the database that is triggered by the WordPress cron, and would reinfect the site should any of the PHP code be removed.

There is apparently a dark web marketplace for access to persistently compromised websites. Generally they end up getting used to email or display a phishing attack. In the case I fixed they had sold access to someone to inject a fake Cloudflare security popup with instructions to run some code in Windows PowerShell.