Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.