Sophisticated Malware Campaign Targets WordPress and WooCommerce Sites with Obfuscated Skimmers

A sophisticated malware campaign has emerged targeting WordPress and WooCommerce websites with highly obfuscated credit card skimmers and credential theft capabilities, representing a significant escalation in e-commerce cyberthreats.

The malware family demonstrates advanced technical sophistication through its modular architecture, featuring multiple variants designed for different malicious purposes including payment data theft, WordPress credential harvesting, and fraudulent advertising injection.

The campaign’s technical complexity is particularly notable for its incorporation of anti-analysis measures typically associated with advanced persistent threats, including developer tools detection, console rebinding, and sophisticated form manipulation techniques that allow attackers to seamlessly integrate malicious functionality into legitimate checkout processes.

The campaign’s operational timeline reveals a sustained and evolving threat landscape, with evidence indicating continuous development and deployment activities spanning from September 2023 through the present day.

The malware’s persistence and adaptability suggest a well-resourced threat actor capable of maintaining long-term operations while continuously refining their attack methodologies to evade detection systems.

Most concerning is the malware’s ability to avoid detection by limiting execution to specific website areas, employing cookies to recognize site administrators, and implementing sophisticated targeting mechanisms that ensure operations remain covert while maximizing data collection efficiency.

Wordfence researchers identified this malware family during a routine site cleanup operation on May 16, 2025, subsequently uncovering a complex infrastructure supporting multiple attack vectors across numerous compromised websites.

The discovery led to comprehensive analysis of over 20 malware samples, revealing shared codebases with varying feature sets that demonstrate the framework’s modular nature and adaptability to different target environments.

Perhaps most alarming is the campaign’s innovation in packaging malware as a rogue WordPress plugin, complete with backend server functionality that converts compromised websites into custom interfaces for attackers.

This approach represents a departure from traditional skimming operations by establishing persistent infrastructure directly on victim websites, effectively creating distributed command and control capabilities while maintaining the appearance of legitimate plugin functionality.

Advanced Anti-Analysis and Evasion Techniques

The malware’s most sophisticated aspect lies in its comprehensive suite of anti-analysis techniques designed to thwart security researchers and automated detection systems.

The primary evasion mechanism involves continuous monitoring of browser developer tools through window dimension analysis, implementing the following detection logic:-

setInterval(function () {
  var _0xff65e4 = window.outerWidth - window.innerWidth > 160;
  var _0x24fb7b = window.outerHeight - window.innerHeight > 160;
  var _0x32180e = _0xff65e4 ? "vertical" : "horizontal";
  if ( !(_0x24fb7b && _0xff65e4) && 
    (window. Firebug && window.Firebug.chrome 
    && window.Firebug.chrome.isInitialized || _0xff65e4 || _0x24fb7b)) { 
    window.dispatchEvent(new CustomEvent("devtoolschange", {detail: {open: true, orientation: _0x32180e}}));
  }
}, 500);

This technique continuously monitors differences between outer and inner window dimensions to detect when developer tools are active, subsequently altering malware behavior to avoid console-based analysis.

Additionally, the malware implements debugger traps and infinite loops designed to crash browser tabs or freeze analysis tools when debugging attempts are detected.

The most advanced variants incorporate console rebinding mechanisms that dynamically override standard console methods, effectively neutering traditional JavaScript debugging approaches and demonstrating a level of sophistication rarely observed in commodity malware campaigns targeting e-commerce platforms.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria