A sophisticated malware campaign has been discovered that targets WordPress e-commerce sites, specifically those using the WooCommerce plugin to handle customer transactions.
The threat, identified in August 2025 employs advanced evasion capabilities combined with multi tiered credit card harvesting mechanisms designed to bypass typical security detection methods. The malware operates as a rogue WordPress plugin featuring custom encryption protocols, fake image files that conceal malicious payloads, and a persistent backdoor infrastructure enabling attackers to deploy additional code instantly.
Installation of the malware requires administrator level access, which is typically obtained through compromised login credentials or insecure plugins. Once activated, the malware minimizes detection risks by remaining hidden from the WordPress plugin directory while establishing tracking cookies and logging administrator information across the affected site.
Data Exfiltration and Evasion Techniques
The malware poses a significant risk to online merchants and their customers because it systematically captures and exfiltrates sensitive payment data.
The malware achieves resilience through multiple layers of redundancy. It intercepts WordPress user credentials during login by using the wp_authenticate_user filter and wp_login action hooks, and immediately exfiltrates this data to servers controlled by the attacker.
The malicious code is injected using fake PNG image files that contain reversed and encoded JavaScript. These files are deployed across three distinct stages: a custom payload updated through an AJAX backdoor, a dynamic payload that refreshes daily, and a fallback static copy. The JavaScript skimmer activates on WooCommerce checkout pages, using a three second delay to avoid form conflicts. It then attaches event listeners to capture card numbers, expiry dates, and CVV values, which it immediately transmits back through AJAX POST requests.
The PHP exfiltration component implements multiple fallback mechanisms to ensure data reaches the attackers across diverse server environments: native cURL, file_get_contents, a system shell cURL, and even email delivery.
Analysis connects the malware to Magecart Group 12, an attribution supported by the "SMILODON" identifier found in command-and-control server URLs and coding patterns that match the threat actor's previous activities. This campaign underscores the persistent threat to WordPress e commerce platforms and the critical importance of maintaining updated security infrastructure and continuous monitoring systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
