Ddos 
The Wordfence Threat Intelligence Team has unveiled a powerful malware framework operating under the guise of a rogue WordPress plugin. This campaign, first identified during a site clean on May 16, 2025, reveals a multi-functional family of malware strains capable of credit card skimming, WordPress credential theft, ad fraud, and remote command execution — all while blending seamlessly into legitimate site operations.
“Most surprisingly, one variant incorporated a live backend system hosted directly on infected websites for attacker use – a previously unseen method – packaged and disguised as a rogue WordPress plugin,” the report explains.
While the malware came to light in May 2025, evidence indicates the campaign began as early as September 2023, suggesting a prolonged and evolving operation.
The fake plugin is convincing: it follows WordPress development best practices, complete with separated admin and public-facing folders, and even mimics plugin boilerplate structure. Yet, as the analysts noted, “most files turned out to be just empty scaffolding.”
“Clearly the fake plugin was not affiliated in any way with WordPress or WooCommerce… a fairly common tactic used by attackers to deceive their victims.”
At the heart of the operation is a JavaScript skimmer embedded within the fraudulent plugin (wordpress-core-public.js), which activates only on checkout pages. To evade detection, the malware:
- Avoids execution in the WordPress admin panel.
- Disables right-click, F12, Ctrl+Shift+I, and Ctrl+U.
- Detects browser developer tools using window size checks.
- Inserts infinite loops or debugger traps to crash dev tools.
- Rebinds browser console methods to frustrate reverse engineering.
“All of the malware samples analyzed employ identical obfuscation techniques… including developer tools detection and console rebinding,” the report disclosures.
The malware employs multiple techniques to capture sensitive data:
- Overlay attacks that hijack WooCommerce forms.
- Base64-injected fake forms that mimic legitimate payment interfaces.
- Pseudo-validation scripts that display red or green colors to give fake legitimacy.
Captured data — including names, card numbers, CVV codes, addresses, and emails — is encoded and exfiltrated using a cunning method: as a query string appended to a fake image (image-view.php), triggering a GET request.
“The stolen data is encoded and appended as a query parameter to a fake image URL… triggering an HTTP GET request to exfiltrate the data.”
The threat doesn’t stop at formjacking. The Wordfence team discovered at least three major variants of the malware:
- Credit Card Skimmer – Steals payment data and exfiltrates it silently.
- Malicious Ad Injector – Displays fraudulent ads only on mobile users redirected from search engines or social media.
- Credential Harvester – Targets WordPress login pages and sends stolen credentials to attacker-controlled servers via Telegram.
Some variants even dynamically replace file download links, distributing weaponized ZIP files instead of legitimate content.
This malware doesn’t just operate on the frontend. PHP files in the rogue plugin create a server-side infrastructure that enables persistent attacker access:
- register-messages-posttype.php defines a custom post type for stolen order data.
- wordpress-core.php uses WooCommerce hooks to silently complete fraudulent orders, delaying merchant detection.
“This rogue WordPress plugin represents a significant escalation for credit card skimmers… effectively converting the compromised website into a custom interface available to the attackers.”
Here are some of the malicious domains and infrastructure identified:
advertising-cdn.comchaolingtech.comcontentsdeliverystat.comgraphiccloudcontent.comimageresizefix.comvectorimagefabric.com- Telegram bot:
api.telegram.org/bot7468776395[…]chat_id=-4672047987
Wordfence notes that obfuscation techniques used in these samples are also popular in commercial plugins, making detection particularly challenging.
Donate