The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines in an attempt to stay hidden.