Tag: wordpress

14 Attack Reports | 0 Vulnerabilities

Attack reports

Stripe API Skimming Campaign: Additional Victims & Insights

A sophisticated web skimming campaign has been discovered, utilizing a legacy Stripe API to validate stolen payment details before exfiltration. The attack involves multiple stages, including malicious loader injection, decoding, and skimming. Jscrambler's research team identified 49 affected merch…
wordpress
e-commerce
javascript injection
web skimming
payment fraud
stripe api
woocommerce
2025-04-03
client-side security
Published: April 3, 2025
Downloadable IOCs: 2

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

Credit Card Skimmer and Backdoor on WordPress E-commerce Site

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout…
backdoor
obfuscation
javascript
wordpress
reconnaissance
php
credit card skimmer
e-commerce
2025-03-15
woocommerce
Published: March 15, 2025
Downloadable IOCs: 0

Cascading Redirects: Unmasking a Multi-Site JavaScript Malware Campaign

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden …
wordpress
javascript injection
2025-03-07
malicious redirects
traffic hijacking
theme file modification
two-stage attack
seo damage
Published: March 7, 2025
Downloadable IOCs: 3

Fake WordPress Plugin Impacts SEO by Injecting Casino Spam

A recent investigation uncovered a malicious WordPress plugin disguised as an innocent security tool, injecting casino spam into website footers. The attackers employed obfuscation techniques and cURL to fetch data from a remote URL, decrypting it using XOR encryption. The malware retrieves a set o…
obfuscation
wordpress
plugin
xor encryption
2025-02-27
seo
casino
spam injection
link injection
Published: February 27, 2025
Downloadable IOCs: 1

Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection

A sophisticated credit card skimmer malware has been discovered targeting WordPress websites. The malware injects malicious JavaScript into database entries, specifically in the wp_options table, to steal sensitive payment details from checkout pages. It activates only on checkout pages, either hij…
wordpress
credit card skimmer
ecommerce
2025-01-10
database injection
Published: January 10, 2025
Downloadable IOCs: 0

PHP Reinfector and Backdoor Malware Target WordPress Sites

A sophisticated PHP reinfector and backdoor malware is targeting WordPress websites, infecting plugin files and database tables. The malware reinfects active plugins, manipulates wp_options and wp_posts tables, and creates malicious admin users. It utilizes WordPress's cron system to maintain contr…
backdoor
obfuscation
wordpress
php
2024-11-14
vextrio
database manipulation
backdoor malware
persistent threat
php reinfector
plugin infection
reinfector
cron system
Published: November 14, 2024
Downloadable IOCs: 0

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The AndroxGh0st malware has expanded its capabilities by incorporating the Mozi botnet to target IoT devices and cloud services. This Python-based tool, known for attacking Laravel applications, now exploits a wider range of vulnerabilities in internet-facing applications. The malware uses remote c…
iot
botnet
wordpress
CVE-2024-4577
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
cloud services
credential stealing
CVE-2022-1040
2024-11-08
mozi
laravel
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
Published: November 8, 2024
Downloadable IOCs: 1

2024 Credit Card Theft Season Arrives

As the holiday shopping season approaches, eCommerce website owners need to be vigilant against credit card stealing malware, known as 'MageCart'. Attackers focus their efforts in the last quarter to maximize profits from stolen card details. Analysis of recent malware samples reveals sophisticated…
wordpress
magento
credit card theft
2024-11-07
magecart
websocket skimmer
jquery hex skimmer
holiday shopping season
r.blob skimmer
ecommerce security
Published: November 7, 2024
Downloadable IOCs: 0

DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries

DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or …
wordpress
quasarrat
2024-09-04
darkcracks
malware framework
infrastructure compromise
glpi
Published: September 4, 2024
Downloadable IOCs: 55

Fake update puts visitors at risk

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace
Published: July 24, 2024
Downloadable IOCs: 10

Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclea…
impersonation
wordpress
sliver
golang
2024-06-28
open-source
donut
virtual disk
Published: June 28, 2024
Downloadable IOCs: 18

Active exploitation of stored XSS vulnerabilities in WordPress Plugins

Recent months have witnessed active exploitation attempts targeting multiple cross-site scripting (XSS) vulnerabilities in popular WordPress plugins. The attacks involve injecting malicious scripts that create new admin accounts, install backdoors, and implement tracking mechanisms. The affected pl…
CVE-2023-6961
wordpress
2024-05-31
xss
CVE-2023-40000
CVE-2024-2194
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-6961 (CVSS 7.2), CVE-2023-40000, CVE-2024-2194
Downloadable IOCs: 28

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports