This week, we noticed a wave of attacks targeting WordPress sites with the AVADA theme installed. Attackers gain admin access, install malicious code, and add administrator users and bogus plugins (e.g. /plugins/renvoza_hello/zx.php). As a result, website visitors are redirected to malicious .icu domains.
It’s important to mention that we have detected contamination across multiple sections, including WordPress core files, plugins folder, the root directory, database injections, and hidden administrator users.
How to fix & analysis
- Perform a full backup and limit public access to prevent reputation damage and blacklist inclusion.
- Review core WordPress folders, plugins, and themes for modifications or injected files.
- Check users with administrator privileges and verify inconsistencies (number of reported admins vs. actual existing accounts).
- Inspect the wp_options table for any injected scripts or malicious entries.
- Reset all critical credentials, including admin, FTP, and database passwords.
- Clear all caches (server, plugin, CDN) and verify Google Search Console status.
- Run a fresh security scan using SiteCheck, Google Safe Browsing, and VirusTotal.
Try our free site check.
A malware analyst will provide a security report for your website.
Key findings so far
IPs involved in the attack: 182.8.250.4, 212.50.225.96, 142.54.189.122, 198.181.32.237.
Domains: blackkkkdate.icu, followfromapps.icu, ldl1.com, nra5toveli.cfd, robin-lodge-night.pages.dev, lisabermagic.study.
Links:
Key IOC: grossopet.icu
URLs:
https://size.followfromapps.icu/click?key=5c4ac8e1127f4f958c2dc685e9dd0d94
https://way.followfromapps.icu/landers/away.php?ci=3423423&li=436346&ut=426346
https://coast-flare-vale.pages.dev/help/?35431780253159
https://nova-badge-dew.pages.dev/help/?35431780253159
https://qwe7zolami.qwe7zolami.cfd/?utm_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a&utm_campaign=HotejMain&1=11569&cid=11569-15854-20260610223815eb71
https://nra5toveli.nra5toveli.cfd
Malicious users: wp_l3iekz, [email protected]; tagsconnect (hidden); wp_ewvs6q, [email protected];
Possible contamination date:
2026-05-21
182.8.250.4 – – [21/May/2026:18:48:26 +0200] “GET /wp-admin/wp_503sfbso.php HTTP/1.1” 200 121 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36” “Traffic IN:1057 OUT:3748” “ReqTime:0 sec”
182.8.250.4 – – [21/May/2026:18:52:54 +0200] “GET /wp-admin/plugins.php?action=activate&plugin=renvoza_hello%2Fhello.php&_wpnonce=ad7eebe21d HTTP/2.0” 302 – “/wp-admin/update.php?action=upload-plugin” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36” “Traffic IN:1100 OUT:320” “ReqTime:0 sec”
198.181.32.237 – – [28/May/2026:09:13:26 +0200] “GET /admin.php?ac=p&api=&path=&t=16e179d2de0a670bb96b5524a4c7a14e&s=3 HTTP/1.1” 200 28 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0” “Traffic IN:588 OUT:435” “ReqTime:0 sec”
212.50.225.96 – – [28/May/2026:08:28:01 +0200] “GET /wp-content/plugins/renvoza_hello/zx.php HTTP/1.1” 200 186 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0” “Traffic IN:544 OUT:3748” “ReqTime:0 sec”
142.54.189.122 – – [28/May/2026:08:44:40 +0200] “GET /wp-content/plugins/renvoza_hello/zx.php HTTP/2.0” 200 110 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36” “Traffic IN:515 OUT:304” “ReqTime:0 sec”
Conclusion: This type of malware appears to be part of a wider WordPress campaign targeting multiple sites using .icu TLDs. If you need your website reviewed, we can perform a complimentary site check.