A Sophisticated Malware Campaign Targets WooCommerce Sites
A formidable malware initiative has surfaced, specifically aimed at WordPress e-commerce platforms, with a pronounced focus on those utilizing the WooCommerce plugin for customer transactions.
Discovered in August 2025, this threat exemplifies remarkable evasion abilities alongside intricate mechanisms for credit card data harvesting, meticulously designed to circumvent traditional security detection systems.
Functioning as a deceptive WordPress plugin, the malware employs bespoke encryption protocols, concealing its nefarious payload within counterfeit image files, and establishes a durable backdoor infrastructure. This allows attackers to deploy supplementary code as necessary.
Installation mandates administrative-level access, which is often secured through compromised credentials or inadequately protected plugins.
Upon activation, the malware eludes capture by the WordPress plugin directory, significantly diminishing detection risks while systematically establishing tracking cookies and logging administrator details throughout the compromised site.
Analysts from Wordfence successfully identified and cataloged the malware following the receipt of a comprehensive sample on August 21, 2025.
Between August 27 and September 9, 2025, four detection signatures were developed and disseminated to Wordfence Premium, Care, and Response clientele, with complimentary users receiving access after a standard 30-day interval.
This encroaching menace poses a significant threat to online merchants and their clientele, as it meticulously captures and exfiltrates sensitive payment data.
Advanced Persistence and Command-and-Control Infrastructure
The malware establishes formidable resilience through multiple redundancy layers. It intercepts user credentials during the login process, employing the wp_authenticate_user filter and wp_login action hooks, subsequently exfiltrating this data to servers controlled by the attackers.
The payload injection process relies on counterfeit PNG files embedded with reversed and encoded JavaScript, scattered across three distinct files: a custom payload updated via AJAX backdoor, a dynamic payload refreshed daily, and a fallback static version.
Activated on WooCommerce checkout pages, the JavaScript skimmer employs a three-second delay to avert form conflicts. It attaches event listeners to capture credit card numbers, expiration dates, and CVV values, and thereafter transmits this information through AJAX POST requests.
The PHP exfiltration component incorporates numerous fallback mechanisms—native cURL, file_get_contents, system shell curl, and email delivery—ensuring that captured data reaches attackers via diverse server environments.
Analysis ties this malware to Magecart Group 12, corroborated by the SMILODON identifier located in command-and-control server URLs and coding patterns consistent with previous threat actor endeavors.
This campaign underscores the persistent nature of threats facing WordPress e-commerce platforms and accentuates the imperative of maintaining an updated security infrastructure alongside vigilant monitoring systems.
Source link: Cybersecuritynews.com.
