A client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website. After further investigation into the files in the website, Sucuri discovered a hidden encoded spam injector malware in the following theme file:. The attacker formatted the encoded injector to look like a themes license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code. The attacker also hardly used any encoding to ensure it was well hidden.”]
Source: https://blog.sucuri.net/2019/01/spam-injector-disguised-as-license-key-in-wordpress.html