DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

WordPress Suspicious MU-Plugin Malware: menu-queue-bit.php and “Compact Extension Vox”

#cybersecurity #php #security #wordpress

Quick Answer

If you found menu-queue-bit.php or a fake plugin name like “Compact Extension Vox” inside wp-content/mu-plugins, treat it as malicious unless you can positively verify it came from a trusted developer. MU-plugins load automatically, so this is a high-risk persistence location. Removing only the visible file may not be enough if the rest of the site was also modified.

What This Threat Pattern Is

This is a WordPress backdoor pattern that abuses the must-use plugins directory for persistence. Files in wp-content/mu-plugins do not need normal activation from the WordPress dashboard. They are loaded automatically by WordPress, which makes this directory attractive to attackers who want their code to keep running even if regular plugins are disabled. In this sample, the fake plugin header, suspicious filename, and heavy obfuscation strongly support the conclusion that the file is not a legitimate helper plugin but a concealed malware component.

What Visitors May See

  • No obvious front-end symptom at first, because MU-plugin backdoors often work quietly in the background.
  • Spam redirects, injected pages, or unauthorized admin activity if the hidden payload is used to deliver secondary malware.
  • Security warnings, hosting alerts, or recurring reinfection after a partial cleanup.
  • Site owners may notice strange plugin-like file names in hosting file manager even though they never installed such a plugin.

Screenshot-Based Symptoms

The uploaded screenshots do not show a fake CAPTCHA or visible redirect page on the frontend. Instead, they show the underlying infection in the hosting file manager and code editor. One screenshot shows menu-queue-bit.php sitting inside public_html/wp-content/mu-plugins next to normal host-provided helper files. The other shows the file claiming to be a plugin named “Compact Extension Vox” and then immediately loading into a very long block of obfuscated hex-escaped strings. For site owners, this usually matches the symptom “I found a weird file in wp-content/mu-plugins” or “there is a plugin name I never installed.”

Screenshot Findings

  • Hosting file manager open to public_html > wp-content > mu-plugins showing menu-queue-bit.php alongside hostinger-auto-updates.php and hostinger-preview-domain.php. — This screenshot shows the malicious file placed in the WordPress must-use plugins directory, a persistence location that auto-loads code on every request.
  • Code editor displaying menu-queue-bit.php with Plugin Name: Compact Extension Vox followed by a very long block of obfuscated hex-escaped strings. — The screenshot shows a fake plugin header and immediately afterward a large obfuscated payload, which is consistent with a disguised malware loader or backdoor rather than a legitimate plugin.

Why This Usually Means the Site Is Compromised

This WordPress infection pattern centers on a suspicious PHP file placed in wp-content/mu-plugins, where WordPress auto-loads code on every request. In the representative sample here, the file is named menu-queue-bit.php and presents itself as a plugin called “Compact Extension Vox,” but the code immediately switches into a large obfuscated payload instead of normal plugin logic. That combination is strong evidence of a persistent backdoor or malware loader.

Likely Root Cause

The exact entry point is not proven by this sample alone. The initial compromise could have come from a vulnerable plugin, stolen admin or hosting credentials, a compromised theme, or another pre-existing backdoor. What is clear from the evidence is that the attacker placed a malicious PHP file in an auto-loaded WordPress location to maintain execution.

Why It Keeps Coming Back

This kind of infection often returns because the visible MU-plugin file is only one part of a larger compromise. Attackers commonly leave secondary loaders in plugins, themes, uploads, wp-config.php, or database options. If one hidden component remains, it can recreate the deleted MU-plugin file. The persistence advantage here is especially important: code in wp-content/mu-plugins runs automatically, so it can restore other malware, reinfect cleaned files, or wait silently for commands.

Files and Directories to Check

  • wp-content/mu-plugins/menu-queue-bit.php
  • wp-content/mu-plugins/
  • wp-content/plugins/
  • wp-content/themes/active-theme/functions.php
  • wp-content/uploads/ for unexpected .php files
  • wp-config.php
  • .htaccess
  • Database autoloaded options and suspicious admin users

Removal Targets Inferred From The Samples

  • file: wp-content/mu-plugins/menu-queue-bit.php — Observed malicious obfuscated must-use plugin sample with fake plugin header and persistence behavior.
  • directory: wp-content/mu-plugins — Inspect the entire must-use plugins directory for unauthorized additions or modified loaders; representative samples often indicate broader compromise in the same persistence location.

Technical Analysis

The strongest evidence in this case is structural. The file menu-queue-bit.php begins with a WordPress-style plugin header declaring “Plugin Name: Compact Extension Vox,” then immediately defines a very large global array filled with hex-escaped strings. That is not how a normal lightweight helper plugin is written. Obfuscated string tables like this are commonly used to hide function names, payload logic, decoding routines, and remote communication details from casual review and signature-based scanning. The file also contains the standard ABSPATH check, which shows it is meant to run inside WordPress. Its placement in wp-content/mu-plugins is especially significant because WordPress automatically loads code from that directory on every request without the normal plugin activation workflow. That makes it an effective persistence point for a backdoor or loader. The sample is also large for a supposedly simple plugin stub, which supports the conclusion that substantial hidden logic is embedded. Based on the representative code and screenshots, this file should be treated as malicious even though the full decoded behavior is not exposed in the short preview. It is reasonable to state strong persistence behavior here; it is not yet honest to claim a specific live payload outcome such as redirects or admin creation unless those are separately confirmed on the infected site.

Attack Chain

  1. Initial compromise occurs through an unknown entry point such as vulnerable software or stolen credentials.
  2. Attacker places a disguised PHP file in wp-content/mu-plugins.
  3. WordPress auto-loads the file on every request because it is in the must-use plugin directory.
  4. Obfuscated code hides the real logic and makes manual review harder.
  5. The loader or backdoor can then execute hidden actions directly or pull in secondary malicious behavior from elsewhere on the site.

Evidence Notes

  • Representative malicious sample filename: menu-queue-bit.php.
  • Representative fake plugin name from the file header: Compact Extension Vox.
  • Observed path in screenshot: wp-content/mu-plugins/menu-queue-bit.php.
  • The file is heavily obfuscated with a large global array of hex-escaped strings.
  • Representative sample SHA-256: 632676c2031b7446fc5d985e8cd183aa835d627212a300d696461fe396b7ca16.
  • The screenshots show the file in the MU-plugins directory alongside normal hosting helper files, making the suspicious file stand out.
  • The evidence supports high confidence in malicious persistence through the MU-plugin autoload path, but not a proven initial intrusion vector from this sample alone.

Representative Malware Samples

FILE: menu-queue-bit.php

Why it matters: The file pretends to be a normal plugin but immediately switches to a large obfuscated global string table, which is typical of concealed malware loaders.

<?php
/**
 * Plugin Name: Compact Extension Vox
 */
if(!defined('ABSPATH')){exit;}
$GLOBALS['_ofdyhs']=array("[large hex-escaped obfuscated string table omitted]");
Enter fullscreen mode Exit fullscreen mode

Indicators of Compromise (Public-Safe)

  • 632676c2031b7446fc5d985e8cd183aa835d627212a300d696461fe396b7ca16
  • menu-queue-bit[.]php
  • Compact Extension Vox
  • wp-content/mu-plugins/menu-queue-bit[.]php
  • example[.]com

Removal Strategy

Remove the confirmed malicious MU-plugin file, but do not stop there. Because this sample is described as representative of a larger real-world cleanup, assume there may be additional persistence elsewhere until a full file and database review is completed.

Manual Removal Protocol

  1. Take the site offline or place it in maintenance mode if the infection is active and you need to prevent further abuse.
  2. Create a full backup of files and database for forensic reference before making changes.
  3. Delete or quarantine wp-content/mu-plugins/menu-queue-bit.php after confirming it is not part of any legitimate deployment.
  4. Inspect the entire wp-content/mu-plugins directory for any other unauthorized PHP files or recently modified loaders.
  5. Compare core WordPress files, plugins, and themes against known-good copies and replace altered files with clean originals from trusted sources.
  6. Check the active theme, especially functions.php and other commonly abused theme files, for obfuscated code, hidden includes, or suspicious remote fetch logic.
  7. Search wp-content/uploads for PHP files or other executable files that do not belong there.
  8. Review wp-config.php and .htaccess for injected code, hidden includes, conditional redirects, or attacker-added access rules.
  9. Audit WordPress users and remove any unauthorized administrator accounts.
  10. Review scheduled tasks, cron behavior, database options, and autoloaded entries for malware-related persistence.
  11. Rotate all WordPress, hosting, database, SFTP, and control panel passwords after cleanup.
  12. Reinstall or restore from a known-clean backup only if you are confident the backup predates the compromise and does not contain the same persistence.

Hardening Checklist

  • Keep WordPress core, plugins, and themes fully updated.
  • Remove unused plugins and themes rather than leaving them installed.
  • Restrict write access where practical and monitor sensitive paths like wp-content/mu-plugins, wp-config.php, and active theme files.
  • Use strong unique passwords and enable multi-factor authentication for admin and hosting access.
  • Disable PHP execution in uploads if your setup allows it.
  • Add file integrity monitoring so new MU-plugin files or unexpected changes are detected quickly.
  • Review administrator accounts regularly and remove stale access.
  • Use a web application firewall and server-side malware monitoring if available from your host or security stack.

FAQ

Is menu-queue-bit.php in wp-content/mu-plugins definitely malicious?

Based on the representative sample, it should be treated as malicious. The filename is suspicious, the claimed plugin name “Compact Extension Vox” appears fabricated, and the file content is dominated by obfuscation rather than readable plugin logic. Combined with placement in the MU-plugins autoload directory, that is strong evidence of a backdoor or loader.

What is an MU-plugin in WordPress?

MU-plugin means must-use plugin. WordPress automatically loads PHP files in wp-content/mu-plugins on every request. Legitimate site owners sometimes use this folder for custom site-specific code, but attackers also abuse it because their code keeps running without normal activation.

Why is this more serious than a suspicious regular plugin?

A normal plugin usually appears in the plugins screen and follows standard activation workflows. A malicious MU-plugin can run automatically in the background and may be overlooked during a basic cleanup. That makes it a strong persistence point.

Can I just delete menu-queue-bit.php and move on?

You should remove the file, but you should not assume that is the full cleanup. Representative samples like this often come from larger infections. If another hidden loader remains elsewhere, it may recreate the file or continue malicious activity through another path.

I found this file but my site looks normal. Is that possible?

Yes. Many backdoors do not show obvious front-end symptoms all the time. They may wait for specific requests, administrator visits, attacker commands, or secondary payloads. A quiet site is not proof that the file is harmless.

Could this be a legitimate developer file with an odd name?

In theory, any custom MU-plugin should be verified before deletion. In practice, a fake plugin header followed by a massive obfuscated string table is not normal for a legitimate helper plugin. If your developer cannot clearly explain and verify the file, treat it as compromised.

Where else should I look if this keeps coming back?

Check other MU-plugins, regular plugins, the active theme, wp-config.php, uploads for PHP files, .htaccess, unauthorized admin accounts, scheduled tasks, and suspicious database options. Reinfection usually means another persistence point still exists.

Proof statement: Based on representative malware samples and screenshots collected during real WordPress cleanup work by MD Pabel, this page documents a persistent WordPress backdoor pattern in which a fake plugin-style PHP file is placed in wp-content/mu-plugins and hidden behind heavy obfuscation.

Confidence: Root cause low, persistence high, screenshot read high, IOCs medium.

Top comments (0)