Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

April 17, 2026, 10:47 a.m.

Description

A compromised Joomla website displayed suspicious product links unrelated to the business. Investigation revealed heavily obfuscated PHP code injected at the top of index.php that contacted external command-and-control servers to receive instructions and manipulate content. The malware acts as a remote loader, assembling strings from two-character chunks to evade signature-based detection. It contacts primary C2 cdn.erpsaz.com and fallback cdn.saholerp.com, sending server fingerprint data and receiving dynamic instructions. Based on responses, it redirects visitors, injects spam content, or serves fake SEO pages to search engines. This approach allows attackers to control compromised sites remotely without modifying local files again, enabling dynamic spam injection, visitor redirection, and search engine manipulation while remaining undetected for extended periods.

External References

https://blog.sucuri.net/2026/04/joomla-seo-spam-injector-obfuscated-php-backdoor-hijacking-site-visitors.html
https://otx.alienvault.com/pulse/69e1f0e855758d808bea9915
Tags
obfuscation
search engine manipulation
command-and-control
seo spam
2026-04-17
dynamic content injection
joomla
php backdoor
remote loader

Date

  • Created: April 17, 2026, 8:35 a.m.
  • Published: April 17, 2026, 8:35 a.m.
  • Modified: April 17, 2026, 10:47 a.m.

Indicators

  • http://cdn.erpsaz.com/admin.php
Download all indicators here!

Attack Patterns

Additional Informations

  • cdn.erpsaz.com
  • lashowroom.com
  • cdn.saholerp.com