If you’ve recently encountered the admin user wpsupp‑user on your website, it means it’s being affected by this wave of infections.
Identifying Contamination Signs:
The malware typically injects code into critical WordPress files, often manifesting as :
Or in the database, when the vulnerable version of LiteSpeed Cache is exploited :
decoded version:
Cleanup Procedures
- Review installed plugins, apply any available updates, and delete folders associated with suspicious plugins.
- Watch out for malicious users with admin privileges, such as wpsupp‑user and wp‑configuser.
- Search in database for suspicious strings like “eval(atob(Strings.fromCharCode“. Specifically in the option litespeed.admin_display.messages.
Identifying Malicious URLs and IPs
- Malicious URLs often include https[:]//dns[.]startservicefounds.com/service/f[.]php , https[:]//api[.]startservicefounds[.]com, https[:]//cache[.]cloudswiftcdn[.]com.
- Watch out for IPs associated with the malware, such as 45.150.67.235
The decoded remote JavaScript malware often creates administrator users like wpsupp‑user:
Attack Vector – LiteSpeed Cache < 5.7.0.1
Attackers may inject this script into vulnerable versions of the LiteSpeed plugin, posing security risks:
https://wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4/
Based on our WAF logs for the last month, we noticed an unusual peak of access to this URL on April 2nd and resurfaced on April 27th. The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.
WPScan 