Magecart SMILODON Skimmer Infiltrates WooCommerce Via Rogue Plugin Hiding Payload in Fake PNG Image

The Wordfence Threat Intelligence Team has uncovered a highly sophisticated malware campaign targeting WordPress e-commerce sites using the WooCommerce plugin, with attackers deploying a rogue plugin that hides malicious payloads inside fake images, evades detection through custom encryption, and maintains remote command access for persistent exploitation.

According to Wordfence researchers, “This malware exhibits advanced features including custom encryption methods, fake images used to conceal malicious payloads, a robust persistence layer that allows attackers to deploy additional code on demand, all packaged as a rogue WordPress plugin.”

The malicious plugin disguises itself under names resembling legitimate tools, such as “jwt-log-pro,” “cron-environment-advanced,” and “share-seo-assistant.”

Each sample contains two PHP files and two PNG images, one of which acts as a decoy. All function names, variables, and even text strings are randomly generated and obfuscated.

The plugin activates silently, “hiding its entry from the WordPress plugin list and table view to minimize the risk of detection.” It also logs every user with author or higher privileges, setting a persistent tracking cookie (pxcelPage_c01002) that allows the malware to identify returning administrators and avoid showing malicious code to them, an evasion tactic intended to keep the site appearing normal.

Wordfence found that the malware intercepts login credentials through a two-stage process — first storing them in cookies and then exfiltrating the data after a successful login event.

“It captures usernames and passwords when a user enters them using a cookie as storage, then waits for the actual login to exfiltrate them,” the report explains.

Credentials are sent to the attacker’s command server at hxxps://badping[.]info/SMILODON/index_b.php?view=, encoded and obfuscated to disguise the traffic.

A hidden AJAX-based backdoor enables attackers to inject or update malicious JavaScript payloads and even execute arbitrary PHP code remotely.

Wordfence notes that “the malware establishes a backdoor using two distinct AJAX-based access endpoints, both employing a cookie-based authentication method that circumvents WordPress’s native authentication.”

One endpoint allows for dynamic updates to the skimmer payload, while the other executes arbitrary PHP code through temporary files — effectively granting full remote control over the compromised system.

In one of the campaign’s most deceptive tricks, the malware stores its JavaScript skimming payloads inside fake PNG image files. These files mimic legitimate site assets but contain reversed and custom base64-encoded code following a falsified PNG header (‰PNG).

“Three distinct fake image files are employed — a custom payload, a dynamic payload with the main form-jacking logic updated daily, and a fallback payload with a static backup copy of the same logic.”

This multi-tier payload structure ensures the skimmer continues functioning even if one file is removed or corrupted. The JavaScript is injected into WooCommerce checkout pages, lying dormant until customers enter their credit card data.

The JavaScript skimmer activates three seconds after page load to avoid interfering with AJAX-driven checkout forms. It even includes a fake validation system to reassure users that their card data is being securely processed.

Captured data — including card number, expiry date, and CVV — is sent back to the infected site via AJAX POST requests before being exfiltrated to external servers such as hxxps://geterror[.]info/SMILODON/index.php?view=.

In some cases, the data is also sent via email fallback to an address linked to Russian webmail provider Rambler (to.duraku@rambler[.]ru).

Wordfence attributes this operation to Magecart Group 12, one of the most persistent credit card skimming collectives.

“Evidence strongly suggests that the SMILODON string, found in two C&C server URLs, is linked to Magecart Group 12 threat actors,” the report states, citing shared infrastructure and code patterns observed since 2021.

Researchers also noted that “two domains are hosted on IP address 121.127.33[.]229 alongside other domains connected to this group’s past phishing and skimming operations.”

Related Posts:

• Checkout Catastrophe: MageCart Skims Credit Cards from WordPress Stores
• Credit Card Skimmer and Backdoor Found Lurking on WordPress E-commerce Site
• Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
• Rogue WordPress Plugin Unmasked: Stealthy Malware Skims Credit Cards & Steals Credentials
• Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic