The Wordfence Threat Intelligence Team recently uncovered a **startling malware campaign** during a routine site cleanup, unveiling a series of sophisticated attacks targeting **WordPress** and **WooCommerce** platforms. This alarming development has implications for countless online businesses, as the campaign has been active since **September 2023** and encompasses over **20 unique malware samples**.
The Rise of Sophisticated Malware Frameworks
At the heart of this campaign lies a **sophisticated malware framework** designed primarily for **credit card skimming** and **credential theft**. However, it doesn’t stop there. This malware variant displays a range of nefarious functionalities—including **malicious ad manipulation** and the distribution of additional payloads that make it a multi-faceted threat.
One fascinating aspect of this operation is its **novel approach**. Certain variants embed a **live backend system** directly onto infected websites, masquerading as rogue WordPress plugins. This gives attackers a **customized interface** to manage stolen data and manipulate site operations, creating a seamless experience for them while performing their malicious activities.
To further complicate detection efforts, this malware family utilizes **advanced obfuscation techniques** and a series of **anti-analysis mechanisms**. These include everything from detecting developer tools and freezing browser tabs to re-binding console commands. By continuously monitoring window dimensions (specifically outerWidth and innerWidth), the malware can effectively determine if developer tools are active and alter its behavior accordingly, thus sidestepping traditional security measures.
Diving into Technical Intricacies
This malware’s selectivity is equally striking. It targets critical areas like **checkout pages** while cleverly avoiding administrator panels through cookie-based checks, drastically reducing its visibility to site operators. The method of **data exfiltration** is ingeniously clever—captured payment and billing information is encoded in **Base64** format, appended with proprietary schemes, and transmitted through deceptive fake image URLs to servers under the attacker’s control.
In an even more alarming twist, specific variants can manipulate **Google Ads** for fraudulent purposes, pilfer WordPress login credentials, and replace legitimate links with malicious ones, showcasing the framework’s disturbing versatility.
One of the standout features of this campaign is a **fake human verification challenge** that emulates Cloudflare branding. Complete with multi-language support, animations, and a dark mode CSS theme, this deception is artfully crafted to mislead users while filtering out bots.
The integration of **Telegram channels** for real-time data exfiltration adds another layer of sophistication, enabling the attackers to receive stolen information as soon as it’s captured. The use of **localStorage** also ensures persistence across browser sessions, making it harder for victims to remove traces of the malware.
Perhaps the most alarming element is the deployment of a **rogue WordPress plugin**, misleadingly named **“WordPress Core.”** This plugin embeds server-side PHP scripts designed to manage stolen data via custom post types and can manipulate order statuses to “completed” to delay detection of any fraudulent activity—signaling a serious escalation in the malware landscape.
With its evolving codebase and AI-generated plugin scaffolding, this campaign underscores an ongoing threat to the entire web ecosystem. In response, Wordfence has released detection signatures between May 17 and June 15, 2025. Premium, Care, and Response customers can access immediate updates, while free users face a 30-day delay.
Indicators of Compromise (IoCs)
| Type | Indicator |
|---|---|
| Domains | advertising-cdn.com, api-service-188910982.website, blastergallery.com, chaolingtech.com, contentsdeliverystat.com, deliveryrange.pro, emojiselect.info, graphiccloudcontent.com, imageresizefix.com, imagifytext.com, internetmemoryservice.com, staticdelivery.net, vectorimagefabric.com, vectorizegraphic.com |
| Telegram API | api.telegram.org/bot7468776395 […] chat_id=-4672047987 |
| Google Ads Client ID | ca-pub-9514222065914327 |
Stay Informed! Follow us on Google News, LinkedIn, and X for Instant Updates
In a world increasingly dominated by online transactions, staying informed and ready to act is crucial. The sophistication and adaptability of today’s malware demand a proactive, vigilant approach from all website administrators.
