New XM1RPC SEO Spam and Backdoor Campaign
We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution. We call it the XM1RPC campaign due to the common backdoor used across all of the compromised sites.
The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC. This malware usually infects all sites that share the same FTP account, which means cleaning just one website won’t help, as hackers use the compromised site to reinfect all sites on the server in a matter of minutes.