On May 16, 2025, cybersecurity researchers from the Wordfence Threat Intelligence Team unveiled a sophisticated malware campaign aimed at WordPress websites. The malware, designed to steal sensitive information such as credit card details and user logins, employs never-before-seen anti-detection methods, making it a serious threat to online commerce.
This malware campaign has reportedly been active since September 2023, according to a detailed analysis presented in Wordfence’s official blog post. The study involved examining over 20 samples of the malware, which exhibited common traits including code scrambling techniques, mechanisms designed to evade analysis, and the ability to detect developer tools.
One of the more alarming tactics is the malware’s capability to hide its activity by not running on administrator pages. Instead, it activates during checkout processes, creating fake payment forms while mimicking Cloudflare security checks. This deceptive strategy is particularly concerning as it can successfully trick unsuspecting users into revealing their personal information.
Researchers identified several variations of this malware, with each version targeting different objectives. For instance, one variant manipulated Google Ads to display fraudulent advertisements to mobile users, while another version was specifically crafted to steal WordPress login credentials. These variations highlight the malware’s adaptable nature, designed to maximize its reach and effectiveness in compromising security.
Among other findings, a particularly nefarious component was a counterfeit WordPress plugin named WordPress Core. Although it masqueraded as a legitimate tool, it contained hidden JavaScript code for skimming vital user data and PHP scripts that facilitated direct management of stolen information from compromised sites. This plugin exploited WooCommerce features to mark fraudulent transactions as completed, delaying detection efforts.
To aid in protecting against this malware, website administrators are urged to be vigilant for signs of compromise, including specific domains associated with the incident like api-service-188910982.website and graphiccloudcontent.com. In response to this threat, Wordfence has rolled out detection signatures for its premium users, with general availability set for a 30-day delay.