Malware Campaign Exploits Unauthorized WordPress Plugin to Steal Credit Card Information

A recently identified malware campaign exhibits advanced capabilities including credit card skimming, credential theft, and user profiling. This threat has been analyzed by cybersecurity experts from the Wordfence Threat Intelligence Team, who discovered the malware packaged as a rogue WordPress plugin on May 16, 2025. The malware utilizes innovative anti-detection techniques, including a live backend system hosted on compromised websites, marking a significant evolution in WordPress-focused attacks.

This operation appears to have been active since at least September 2023, with Wordfence analyzing over 20 malware samples. They found consistent features across all variants, such as obfuscation, anti-analysis techniques, and targeted execution strategies. For instance, the malware is designed to avoid running on admin pages and activates specifically during checkout processes, even checking for prior infections to prevent retargeting the same users. The latest variants included custom HTML overlays, fraudulent payment forms, and human verification challenges designed to mimic Cloudflare pages. Stolen data was often exfiltrated through Base64-encoded strings disguised as image URLs.

The malware family operates under a modular framework, not limited to skimming credit card information. Researchers uncovered three distinct variants serving different objectives. One variant manipulates Google Ads to serve fraudulent ads to mobile users, while another steals WordPress credentials. A third variant facilitates the distribution of additional malware through link replacement. Notably, some versions utilized Telegram for real-time data exfiltration and user activity tracking.

Among the significant findings was a deceptive WordPress plugin titled “WordPress Core.” Despite its seemingly legitimate appearance, this plugin contained JavaScript skimmers and PHP scripts that allowed attackers to manage stolen data directly from the compromised WordPress installation. The plugin utilized WooCommerce hooks to falsely mark fraudulent orders as completed, thereby delaying detection. Additionally, its backend infrastructure featured a custom post type called “messages” to store stolen payment information within WordPress.

Indicators of compromise (IoCs) related to this campaign include domain names such as api-service-188910982.website and graphiccloudcontent.com, as well as API endpoints like api.telegram.org/bot[…]chat_id=-4672047987. Organizations are urged to remain vigilant and implement security measures to guard against such sophisticated phishing techniques and malware infections.