Help TDS Hacks Legitimate Websites, Using PHP Templates to Display Fake Microsoft Security Alerts

GoDaddy Security researchers have unveiled a detailed analysis of Help TDS, a sophisticated Traffic Direction System operational since at least 2017, which exploits compromised websites to funnel traffic toward malicious scams.

This operation supplies affiliates with PHP code templates that are injected into legitimate sites, primarily WordPress installations, to redirect visitors to fraudulent pages mimicking Microsoft Windows security alerts.

These alerts employ advanced browser manipulation techniques, such as full-screen takeovers and exit prevention scripts, to trap users and coerce them into calling fake tech support lines.

Evolution of a Persistent Traffic Direction System

When victims engage, attackers use remote access tools to fabricate malware detections and demand payments for bogus cleanup services.

For non-qualifying traffic, Help TDS falls back to alternative scams involving dating sites, cryptocurrency schemes, or sweepstakes, demonstrating a flexible monetization model integrated with campaigns like DollyWay, Balada Injector, and DNS TXT redirects.

The system’s hallmark is its distinctive redirect URL pattern, /help/?d{14}, which routes users to domains like gadbets[.]site or radiant.growsier[.]shop.

Historical tracing links Help TDS to earlier malware strains, including the 2018 Crypper redirector and even 2015 SEO spam doorways tied to fped8[.]org.

Over time, it has evolved from disposable domains on free TLDs to a robust infrastructure relying on Telegram channels like trafficredirect for fresh redirect domains and fallback C2 servers such as pinkfels[.]shop.

Affiliates customize these templates with unique campaign IDs and API keys, enabling seamless integration with alternative TDS like LosPollos, while shared codebases suggest Help TDS operators provide plug-and-play solutions to lower the entry barrier for cybercriminals.

Sophisticated Malicious Plugin Drives

Central to recent operations is the malicious “woocommerce_inputs” WordPress plugin, unrelated to legitimate WooCommerce tools, which has rapidly evolved from late 2024 to June 2025.

Installed via stolen admin credentials on over 10,000 sites worldwide, this plugin masquerades as a benign extension but incorporates credential harvesting, geographic filtering, and autonomous updates.

Early versions, like 1.4, featured delayed activation (24 hours post-install), desktop-only redirects targeting USA, Canada, and Japan, and database tables (e.g., wp_ip_tracking) to log IPs and avoid repeated redirects.

By version 1.5 in May 2025, it added biweekly exfiltration of user data usernames, emails, and display names to pinkfels[.]shop, potentially cross-referenced with dark web dumps for account takeovers.

This creates a self-reinforcing cycle: stolen credentials enable more infections, bolstering persistence.

According to the report, Version 1.7 loosened filters to redirect all search engine traffic, enhancing monetization, while 2.0.0 introduced object-oriented design with daily update checks via C2 endpoints, downloading customized ZIP files for mass or targeted redirects.

A buggy version 3.0.0, possibly AI-generated and campaign-specific, attempted server-wide infections and competitor malware removal but remains rare due to impracticality.

Active campaigns, such as 32471739198434 and 32861745670379, use proxy IPs like 212.56.48.34 for installations, with logs showing rapid 22-second infection sequences from login to activation.

In conclusion, Help TDS exemplifies a criminal service ecosystem that empowers affiliates through integrated C2, evasion tactics, and plugin evolution, post-LosPollos disruption.

Website owners must prioritize MFA, plugin audits, and security scans to counter this threat, as GoDaddy has already mitigated infections on hosted sites.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!