Recently, a new JavaScript injection malware was discovered on a compromised WordPress website. This malicious script was found within core JavaScript and Theme files and is designed to stealthily redirect specific users—primarily Windows users on modern browsers—to a remote, attacker-controlled URL. This article provides a deep dive into what the script does, how it works, how to remove it, and how MoeSec’s services and plugins can help safeguard WordPress sites.
1. Malware Classification
- Type: Malicious JavaScript Injection (Redirect/Phishing)
- Category: Conditional Redirection / Information Exfiltration
- Target: WordPress websites (JavaScript files in Core WordPress, themes and plugins)
2. What Does the Script Do?
Decoded Overview
The script is obfuscated to evade detection. Its core functionality is to:
- Collect information about the website visitor (user agent, browser, OS)
- Target only Windows 10 users on recent versions of Edge, Chrome, or Firefox
- Contact a remote malicious API endpoint
- Redirect matching victims to an attacker-controlled URL, potentially for malware distribution
3. Step-by-Step Breakdown
Obfuscated Sample
Decoding the Payload
Decoded URL:
aHR0cHM6Ly9hbmFseXRpd2F2ZS5jb20vYXBpL2dldFVybA==
Decodes to:hxxps://analytitwave[.]com/api/getUrl
Targeted Browsers:
- Windows 10 users
- Chrome, Edge, or Firefox (recent versions)
How it works:
- Checks if visitor is ‘verified‘ (via localStorage)
- Parses URL parameters (to check for a ‘verified‘ parameter)
- If not verified and user is on Windows 10 with a modern browser:
- Calls back to
hxxps://analytitwave[.]com/api/getUrlfor a redirect URL - Appends the current domain (base64 encoded) and possible favicon link as parameters
- Redirects the user to the malicious URL which is analyticssnoden[.]com in this case which was recently registered in July 2025.
- Other Variants were found using metricaltic[.]com & analyticanoden[.]com which is recently registered: Creation Date: 2025-08-11
- Calls back to
4. Malware Goals
Primary purposes:
- Targeted Redirection: Only certain users are redirected (to avoid detection by site admins, search engine and security vendor bots)
- Phishing or Malware Distribution: The external site can host malware, fake login forms, or attempt drive-by-downloads to infect and control user devices.
- Bypassing Detection: By using obfuscation, API calls, and conditional triggers, the attacker reduces the risk of being caught.
5. How to Remove the Malware
Step-by-Step Cleaning Process:
1. Backup Your Website
- Download a full backup before making any changes.
2. Scan for Infected Files
- Search for suspicious JavaScript in:
- Theme files (especially
header.php,footer.php, andfunctions.php) - Plugin files
- Uploaded JS files
- WordPress Core JS files
- Database entries (sometimes malware is injected into options, posts, or widgets)
- Theme files (especially
3. Remove Malicious Code
- Delete any injections matching the obfuscated code above.
- Remove all unfamiliar code snippets or files.
4. Update Everything
- Update WordPress core, all plugins, and themes.
- Remove unused plugins/themes.
5. Change Passwords
- Change all admin, FTP, cPanel or Hosting credentials and database passwords.
6. Scan Again
- Use a security plugin or online website security scanner to check for remaining threats.
6. How MoeSec Website Security Platform Can Help
Key MoeSec Services:
| Service | Description |
|---|---|
| Malware Removal | Professional malware cleaning with a guarantee, including database and file scan. |
| Website Firewall (WAF) | Real-time blocking of malicious traffic, bots, and known exploits. |
| Vulnerability Patching | Virtual patching for known vulnerabilities, even in outdated plugins/themes. |
| Security Monitoring | 24/7 monitoring for file changes, suspicious behavior, and blacklist status. |
| Incident Response | Certified experts available for emergency cleanups and forensic analysis. |
So many features & options included in the platform including but not limited to: Full Malware & Blacklist Removal, Website Monitoring, Website Backups, Trust Seal and much more!
Why Choose MoeSec Platform?
- Certified Security Analysts: Real humans analyze and clean your site combined with auto cleaning options and on-demand scans & cleanups.
- Advanced Threat Detection: AI and manual review catch even the most obfuscated malware.
- Aftercare: Post-cleanup monitoring and super friendly & caring support. Your success is our success!
7. MoeSec Free WordPress Security Plugin
Features:
- File Integrity Scanning: Detects unauthorized changes to WordPress files.
- Malware Detection: Scans your files & database for known malware patterns.
- Admin Login Protection: Brute-force protection, 2FA and login alerts.
- Security Hardening: Applies best-practice settings to harden and secure your WordPress.
- Scheduled Scans: Automated daily or weekly scans.
How the Free Plugin Helps:
- Early Warning: Alerts you if files are tampered with or infected.
- Self-Serve Remediation: Allows you to quickly remove simple infections.
- Security Hardening: Reduces the attack surface for common attacks.
Important Note:
The free plugin offers essential, automated protection and detection, but does not replace professional malware cleanup or advanced monitoring. For critical sites, e-commerce, or repeated attacks, the MoeSec Website Security Platform is strongly recommended for its advanced detection, manual intervention, and expert support.
8. Summary Table: MoeSec Plugin vs. Platform
| Feature | Free WP Plugin | MoeSec Platform (Premium) |
|---|---|---|
| File Scanning | Yes | Yes (Deeper + Smarter) |
| Real-Time Protection | No | Yes (WAF) |
| Malware Cleaning | No (You) | Yes (certified experts) |
| Vulnerability Patching | No | Yes (virtual patching) |
| Incident Response | No | Yes |
| Support | Community | Dedicated certified security team |
| Price | Free | Paid (Pro) |
9. Conclusion and Recommendations
- Remove the malware immediately following the steps above.
- Install the MoeSec Free Security Plugin for ongoing basic protection and alerts.
- For high-value or repeatedly attacked sites, enroll in the MoeSec Website Security Platform for comprehensive security, continuous monitoring, and professional remediation.
Security is not a one-time action, but an ongoing process. MoeSec stands ready to protect and clean your WordPress site, whether you need a free security plugin or expert intervention.
Learn More & Get Protected:
Stay secure. Stay online. Trust MoeSec.
If you need urgent assistance or suspect your site is hacked, contact MoeSec for immediate help.
