This file was recently discovered during one of the cleanup operations we performed and has been confirmed as malware. It first appeared in the raw access logs on 28 May 2026, with activity originating from the following IP address: 212.50.225.96.
Try our free site check.
A malware analyst will provide a security report for your website.
The file is designed to:
- Hide its true functionality through multiple layers of obfuscation.
- Execute arbitrary PHP code at runtime.
- Potentially fetch and execute remote code.
- Avoid detection by security tools.
What to do if you found this file:
- Assume the website is compromised.
- Perform a full backup.
- Remove malicious files, perform professional cleanup.
- Scan all WordPress files.
- Update core files, plugins, themes.
- Check for hidden backdoors.
- Change all the passwords, sFTP, WordPress admins, etc.
- Enable continuous monitoring, blacklist check.
File Type: Malicious PHP (Webshell/Loader)
Github:
https://gist.github.com/magefix/9696e1f80228022098f72fe37e8fa25d
Other files: upl.php, hello.php.
212.50.225.96 – – [28/May/2026:08:28:01 +0200] “GET /wp-content/plugins/renvoza_hello/zx.php HTTP/1.1” 200 186 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0” “Traffic IN:544 OUT:3748” “ReqTime:0 sec”
212.50.225.96 – – [28/May/2026:08:28:03 +0200] “GET /wp-content/plugins/renvoza_hello/zx.php?ac=p&api=&path=&t=16e179d2de0a670bb96b5524a4c7a14e HTTP/1.1” 200 186 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0” “Traffic IN:614 OUT:767” “ReqTime:0 sec”