Listen to this Post
Introduction: When Trusted Platforms Become the Perfect Disguise
Cybercriminals have always relied on deception, but the latest Magecart campaign reveals a disturbing evolution in online payment fraud. Instead of hosting malicious code on suspicious domains that security systems can easily detect, attackers are now exploiting some of the internet’s most trusted services to hide in plain sight.
Researchers have uncovered a sophisticated operation that weaponizes both Google Tag Manager and Stripe, two services used by millions of legitimate businesses worldwide. By leveraging infrastructure that online stores already trust and allow through security controls, attackers have created a highly effective method for stealing payment card information without triggering traditional alarms.
The discovery highlights a growing cybersecurity challenge: when malicious activity originates from domains that organizations are expected to trust, conventional defenses become significantly less effective. This campaign demonstrates how cybercriminals continue to adapt faster than many security programs, transforming legitimate cloud services into invisible attack platforms.
Executive Summary: A New Generation of Stealthy Magecart Attacks
Security researchers at Sansec have identified a previously unknown Magecart malware family that uses Google Tag Manager (GTM) and Stripe’s API infrastructure to deliver malicious code and exfiltrate stolen payment card data.
Unlike traditional Magecart attacks that communicate with attacker-controlled domains, this operation relies entirely on trusted services such as googletagmanager.com and api.stripe.com. Because these domains are routinely whitelisted by online stores and security systems, the malware bypasses Content Security Policies (CSPs), network filtering mechanisms, and many security monitoring tools.
The malware specifically targets Magento and Adobe Commerce checkout pages, harvesting sensitive payment information including credit card numbers, expiration dates, CVV codes, customer names, billing addresses, email addresses, and phone numbers.
Perhaps most alarming is the
Researchers believe the campaign may have been active since at least December 24, 2025.
How the Attack Begins: Malicious Code Hidden Inside Google Tag Manager
The attack starts with a seemingly legitimate Google Tag Manager container.
Google Tag Manager is widely used by website owners to manage analytics, advertising tags, tracking scripts, and marketing integrations without directly editing website source code. Because GTM is considered a trusted business tool, its scripts are commonly granted extensive permissions.
Attackers embed malicious instructions inside GTM containers that activate specifically when visitors reach checkout pages. This selective execution reduces the chances of detection while maximizing access to valuable payment information.
Once activated, the malicious script initiates communication with Stripe’s API infrastructure, not with an obviously suspicious domain. This subtle distinction is what makes the campaign particularly dangerous.
Stripe as a Malware Delivery Platform
One of the most innovative aspects of the campaign is the abuse of Stripe customer records as malware repositories.
The GTM-delivered script contacts
Rather than containing legitimate customer information, metadata fields inside the customer record store fragmented JavaScript code. The malware reconstructs these fragments into executable code and launches them through JavaScript’s new Function() capability.
This approach transforms
Traditional defenses typically focus on identifying suspicious domains or malicious downloads. In this scenario, however, the payload originates from Stripe’s own systems, making detection far more difficult.
The Checkout Page Ambush
After loading successfully, the skimmer waits for users to enter payment information.
The malware specifically targets Magento and Adobe Commerce checkout environments, monitoring fields associated with:
Captured Payment Data
Credit card numbers
Card expiration dates
CVV security codes
Cardholder names
Captured Personal Information
Billing addresses
Email addresses
Phone numbers
This combination gives attackers everything necessary for payment fraud, identity theft, account takeovers, and underground marketplace sales.
Because the malware operates directly within the browser session, victims often complete purchases successfully while remaining completely unaware that their information has already been compromised.
A Clever Data Exfiltration Strategy
Most skimmers immediately transmit stolen information to attacker-controlled servers. This malware behaves differently.
Instead, collected information is combined into a single data structure and obfuscated using XOR encoding techniques. The encoded data is then stored locally within the browser environment.
This temporary local storage minimizes suspicious outbound network traffic and reduces opportunities for detection.
A separate background process activates after page loads and continues running every minute. During each cycle, the malware retrieves the stored data, splits it into segments, and uploads it into newly created Stripe customer records.
Each compromised payment card effectively becomes its own fake customer account within the attacker’s Stripe environment.
Once uploaded successfully, local traces are erased to prevent duplicate submissions and reduce forensic evidence.
The Firestore Variant Expands the Threat
Researchers also uncovered a second version of the operation that replaces Stripe with Google’s Firestore cloud database service.
In this variation, the malicious payload is retrieved from a Firestore document named tracking/captcha located inside a project called braintree-payment-app.
The naming convention is deliberate.
Terms such as “tracking,” “captcha,” and “braintree” are commonly associated with legitimate e-commerce functionality. Security analysts examining traffic may initially dismiss these references as normal payment-processing activity.
Stolen information in this variant is stored under a different browser key named d_data_customer before being transferred to attacker-controlled cloud resources.
This demonstrates that the underlying attack methodology is highly adaptable and not dependent on any single cloud provider.
Why Traditional Security Controls Struggle
The success of this campaign highlights a major weakness in many web security architectures.
Organizations often trust domains rather than verifying intent.
When traffic originates from well-known providers such as Stripe or Google, it is frequently allowed without extensive scrutiny. Attackers understand this trust relationship and increasingly abuse cloud platforms as shields.
Security tools designed to block communication with unknown domains become ineffective when malicious activity occurs entirely within approved services.
As cloud adoption grows, defenders must shift from trust-based security models toward behavior-based monitoring and validation.
Deep Analysis: Technical Breakdown for Security Teams
Initial Detection Commands
grep -R "googletagmanager" /var/www/html/ grep -R "new Function" /var/www/html/ grep -R "api.stripe.com" /var/www/html/
Investigating Suspicious JavaScript
find /var/www/html -name ".js" | xargs grep "localStorage" find /var/www/html -name ".js" | xargs grep "XOR"
Monitoring Outbound Connections
netstat -antp ss -tunap
Web Server Log Analysis
cat access.log | grep stripe cat access.log | grep googletagmanager
Magento Security Review
bin/magento module:status
bin/magento cache:flush
bin/magento setup:upgrade
File Integrity Monitoring
sha256sum .js find . -type f -mtime -7
Threat Hunting Indicators
grep -R cus_ .
grep -R _d_data_customer_ .
These commands can assist defenders in identifying suspicious modifications, malicious JavaScript injections, and unauthorized communication patterns commonly associated with Magecart operations.
What Undercode Say:
The most fascinating aspect of this campaign is not the malware itself but the strategic misuse of trust.
For years, cybersecurity teams have been trained to identify suspicious domains.
Attackers have now realized they no longer need suspicious infrastructure.
Why create malicious servers when trusted cloud providers can unknowingly perform the same role?
This campaign demonstrates a major evolution in web skimming operations.
The attackers understood how security teams think.
They recognized that Stripe traffic appears normal.
They knew Google Tag Manager is everywhere.
They understood that blocking either service would break legitimate business functions.
The operation effectively weaponizes convenience.
Organizations adopted third-party platforms to simplify operations.
Attackers are now exploiting those same conveniences.
This trend will likely accelerate.
Cloud services offer reliability, scalability, and legitimacy.
For cybercriminals, these qualities are equally valuable.
The abuse of metadata fields is particularly clever.
Metadata often receives far less inspection than executable content.
Security teams rarely expect customer records to contain reconstructed malware.
The attack also demonstrates operational maturity.
Separating payload delivery from data exfiltration increases resilience.
Using local storage reduces network visibility.
Periodic uploads avoid generating obvious spikes in traffic.
The Firestore variant reveals flexibility.
If one platform increases monitoring, attackers can simply migrate elsewhere.
This is no longer a single campaign.
It is a blueprint.
Future operations may leverage AWS services.
Others may exploit Azure storage.
Some may hide inside SaaS collaboration platforms.
The real lesson is simple.
Trust should never be unconditional.
Security models based solely on domain reputation are becoming obsolete.
Behavioral analysis must become the new standard.
Every request should be evaluated by purpose, not merely destination.
Organizations that continue relying on domain whitelists as primary protection will remain vulnerable.
Magecart groups are no longer hiding in dark corners of the internet.
They are hiding inside the services businesses use every day.
That shift fundamentally changes the defensive landscape.
✅ Researchers from Sansec reported a Magecart campaign that abuses both Google Tag Manager and Stripe infrastructure to distribute malicious code and store stolen payment data.
✅ The malware specifically targets Magento and Adobe Commerce checkout systems and captures payment card information alongside customer personal details.
✅ Evidence indicates the campaign stores stolen data inside attacker-controlled Stripe customer records, representing a documented abuse of legitimate cloud infrastructure rather than traditional command-and-control servers.
Prediction
(+1) Cloud service providers will introduce stronger behavioral monitoring for metadata abuse, making it harder for attackers to store malicious payloads within trusted platforms. 🔒📈
(+1) E-commerce platforms will increasingly deploy browser-side threat detection capable of identifying malicious script behavior even when it originates from trusted domains. 🛡️💻
(-1) Cybercriminal groups are likely to expand this technique beyond Stripe and Firestore, experimenting with other major cloud ecosystems to evade detection and maintain persistence. ⚠️🌐
(-1) Organizations that continue relying heavily on domain-based trust models may experience a surge in stealthy compromises that bypass traditional web security controls. 📉🚨
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
