Listen to this Post
Behind the Scenes of the Most Advanced WordPress Malware Yet
Cybersecurity researchers have uncovered a stealthy and highly adaptive malware campaign targeting WordPress websites — and it’s unlike anything seen before. Detected on May 16, 2025, by the Wordfence Threat Intelligence Team, this malicious operation involves a rogue plugin disguised as “WordPress Core.” The plugin blends seamlessly into the WordPress environment, allowing attackers to steal credit card information, user credentials, and even hijack ad networks, all while staying under the radar.
Unlike traditional malware, this campaign leverages a live backend infrastructure hosted on infected sites themselves, bypassing many conventional security protocols. Its adaptive and modular nature enables attackers to tailor its function to different malicious goals, ranging from payment data theft to credential harvesting, with advanced features that make it especially hard to detect. The attackers have engineered the malware to activate only under specific conditions — such as during eCommerce checkout processes — and even avoid previously infected users.
A Highly Evasive and Modular Malware Framework
The malicious campaign, which dates back to at least September 2023, has evolved into a sophisticated threat ecosystem. Wordfence analyzed more than 20 malware samples, all of which shared clever evasion techniques, including obfuscated code, anti-analysis defenses, developer tool detection, and targeted execution logic. One of the campaign’s standout tactics is that it activates only on checkout pages, steering clear of admin dashboards and minimizing the risk of detection.
Some of the malware versions went as far as deploying fake HTML overlays, spoofing payment pages, and inserting human verification challenges to imitate Cloudflare protection — all to increase their credibility and trick unsuspecting users. Stolen data is cleverly hidden using Base64-encoded strings disguised as image URLs, then exfiltrated in real time, in some cases via Telegram bots.
Researchers discovered that the malware operates as a modular framework. While the core engine remains consistent, attackers deploy different variants to serve different objectives. These include hijacking mobile Google Ads to show fraudulent content, stealing WordPress login credentials, and redirecting users through malicious links that deliver additional malware.
The rogue plugin at the center of the campaign, named “WordPress Core,” is designed to look legitimate. It injects JavaScript-based skimmers and PHP data exfiltration scripts into WordPress sites. Cleverly, it exploits WooCommerce order hooks to manipulate transactions, marking fraudulent orders as completed to delay detection. Additionally, it stores stolen data as custom post types within the WordPress backend under “messages,” allowing attackers to manage stolen information without alerting site admins.
Known Indicators of Compromise (IoCs) include suspicious domains such as:
`api-service-188910982.website`
`graphiccloudcontent.com`
`api.telegram.org/bot[…]chat_id=-4672047987`
These domains facilitate backend communication and data exfiltration from infected websites.
What Undercode Say:
The Rise of Weaponized WordPress Plugins
What makes this campaign stand out isn’t just its technical complexity but its strategic design. It’s a blueprint for future web-based malware. By disguising itself as a plugin and embedding functionality that mimics WordPress core features, the malware exploits the inherent trust website owners place in official plugins. This isn’t just hacking — it’s social engineering at a software level.
Exploiting the Ecommerce Goldmine
Targeting checkout screens rather than site-wide pages shows a shift toward precision-targeted exploitation. The goal is clear: capture payment data at the most vulnerable and profitable moment. This tactic minimizes exposure and maximizes value. It’s surgical and far more effective than brute-force attacks or widespread injection techniques.
Obfuscation as a Survival Strategy
The use of Base64 encoding for data transfer, fake HTML overlays, and Telegram exfiltration indicates an advanced understanding of how to stay invisible to both human administrators and automated security tools. These aren’t the fingerprints of amateurs. This is a campaign likely driven by experienced threat actors, possibly linked to organized cybercrime groups.
Modular Malware: The New Norm?
The modular nature of the malware means attackers can deploy new capabilities as needed. This mirrors trends seen in high-end ransomware operations, where core code remains the same, but “plugins” for encryption, exfiltration, or escalation are added on demand. By using Telegram and other channels for C2 (command and control), attackers are no longer relying on static infrastructure, making takedown efforts more difficult.
From Payment Theft to Ad Fraud
Not stopping at skimming, one variant of this malware redirects mobile users to fraudulent Google Ads — monetizing web traffic through deceptive ad placements. This dual-layer attack vector opens revenue streams while gathering sensitive user data. The fact that WordPress credentials are also being harvested suggests attackers aim for long-term access and network persistence, potentially scaling operations or selling access on the dark web.
WordPress’ Weak Spot: Trust
This campaign highlights a chronic problem in the WordPress ecosystem — over-reliance on plugins with poor vetting. Even sophisticated users may miss a cleverly disguised plugin, especially one that mimics official naming conventions like “WordPress Core.” Once installed, these plugins become sleeper agents within the site, waiting to strike under precise conditions.
Forensic Challenges for Defenders
Because the malware operates under highly specific triggers — only appearing during checkouts and using transient data exfiltration — many detection systems may not catch it in traditional scans. The use of custom post types to store stolen data inside WordPress itself makes traditional file integrity monitoring nearly useless.
What’s Next: AI-Assisted Malware?
Given the campaign’s advanced behavior, it wouldn’t be surprising if future variants incorporate AI-driven decision-making. Imagine malware that adjusts its payload based on user behavior in real-time or detects honeypots and research environments to deactivate automatically. That level of sophistication is on the horizon, and this campaign is a warning signal.
🔍 Fact Checker Results:
✅ Confirmed discovery date: May 16, 2025, by Wordfence
✅ Verified obfuscation techniques: Custom HTML overlays, Base64 strings, and Telegram bots
✅ Malware impersonates plugin: Fake “WordPress Core” plugin confirmed in analysis
📊 Prediction:
🔮 Expect more advanced WordPress malware using plugin-based disguises, targeting high-value eCommerce checkout flows and login pages. AI-assisted adaptive payloads will likely become a core tactic in the next wave of web-based cyberattacks. Attackers will increasingly embed malware within trusted frameworks, exploiting user complacency with plugin installation. 🔐💳💥
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
