Cybersecurity researchers have uncovered a sophisticated malware campaign targeting WordPress websites through a fake plugin designed to skim credit cards, steal credentials, and monitor user behavior. The attack, discovered by the Wordfence Threat Intelligence Team, has been active since at least September 2023 and demonstrates an evolving level of technical complexity.

A New Approach to WordPress Malware

The malicious code was hidden inside a rogue WordPress plugin disguised to appear legitimate, including a version falsely named “WordPress Core.” Unlike previous malware campaigns, this one featured a live backend system hosted directly on infected websites — a tactic not previously observed in WordPress-targeted attacks.

The plugin used JavaScript skimmers and PHP scripts to exfiltrate sensitive data in real time. It also tapped into WooCommerce hooks to mark fraudulent orders as “complete,” reducing the likelihood of detection.

Modular Malware with Multiple Functions

Analysis of over 20 malware samples revealed a modular architecture, allowing attackers to adapt the same framework for different purposes. Researchers identified at least three functional variants:

• One variant served fake Google Ads to mobile users.
• Another focused on harvesting WordPress admin credentials.
• A third used link injection to spread additional malware.

Each version shared common evasion tactics like code obfuscation, anti-analysis tools, and developer tool detection — with the malware only activating on specific pages such as checkout or login screens.

Sophisticated Skimming and Data Theft

The campaign employed custom HTML overlays and fake payment forms, often styled to mimic legitimate services like Cloudflare’s verification pages. Some samples also included localized human verification challenges to appear more convincing to victims.

To bypass detection, stolen data was encoded using Base64 and hidden in fake image URLs. In more advanced versions, attackers used Telegram bots to send real-time updates about victim activity and data capture.

Persistent Infrastructure and Indicators of Compromise

One key characteristic of this malware is its integration within the WordPress environment itself. It created a custom post type called "messages" to store stolen payment data in the backend of the infected website.

Indicators of compromise (IoCs) tied to the campaign include:

• api-service-188910982.website
• graphiccloudcontent.com
• API calls to Telegram bots such as: api.telegram.org/bot[…]chat_id=-4672047987

Protecting Your WordPress Environment

This campaign highlights the ongoing risks posed by third-party plugins and the importance of strict plugin validation, regular updates, and continuous monitoring for unusual backend activity.

At Nubetia, we help organizations implement proactive defenses, harden CMS environments, and detect stealthy threats like these before they cause real harm.

Source: https://www.infosecurity-magazine.com/news/rogue-wordpress-plugin-skim-credit/