Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Backdoored WordPress Plugins – Campaign

December 12, 2024
Reading Time: 2 mins read
in Malware Campaign
Backdoored WordPress Plugins – Campaign

Backdoored Wordpress Plugins

Type of Malware

Backdoor

Date of Initial Activity

2024

Motivation

Financial Gain

Attack Vectors

Supply Chain

Overview

The recent attack on WordPress plugins demonstrates the increasing sophistication of supply-chain attacks, particularly those targeting widely used content management systems (CMS). In this specific incident, attackers managed to backdoor multiple WordPress plugins, affecting approximately 36,000 websites globally. By embedding malicious code within legitimate plugin updates, the attackers were able to create hidden administrative accounts on the affected websites. These accounts provided them with unrestricted access, allowing them to steal sensitive data, execute arbitrary code, and even take full control of the compromised sites. The technical execution of this attack is a textbook example of how cybercriminals can exploit the trust users place in well-known software plugins. When users installed or updated these compromised plugins, the malicious code was automatically injected into their WordPress sites. This code typically included functions that created new admin accounts or altered existing ones, often without the website owner’s knowledge. Once an admin account was established, the attackers could access the website’s backend, install additional malware, modify content, and exfiltrate data.

Targets

Information

How they operate

At the core of this attack is the injection of malicious code into the plugin’s source files. When a user updates or installs one of the compromised plugins, the code executes automatically within the WordPress environment. The malicious code is typically designed to perform several key actions. First, it creates a hidden administrative account within the WordPress system. This account often has a non-standard username and a randomized password, making it difficult for site administrators to detect through routine monitoring. The account is granted full administrative privileges, giving attackers complete control over the website. Once the administrative account is established, the attackers can leverage it to further compromise the site. They can access the WordPress dashboard, modify or delete content, install additional malware, and exfiltrate sensitive data. In some cases, the backdoor also includes functions to communicate with a command-and-control (C2) server, allowing the attackers to issue remote commands or update the malicious payload. This capability enables the attackers to maintain persistence on the compromised site, even if the initial infection vector is discovered and removed. Another key aspect of these backdoored plugins is their ability to evade detection. The malicious code is often obfuscated or hidden within legitimate-looking code blocks, making it difficult for automated security scanners or even human reviewers to identify. Additionally, because the code is executed as part of the normal plugin functionality, it blends in with legitimate operations, further reducing the likelihood of detection. This stealthy approach allows the attackers to maintain access to compromised websites for extended periods, often until the site administrators notice unusual behavior or a security audit is conducted.
References:
  • Compromised WordPress Plugins Enable Creation of Fake Admin Accounts
Tags: BackdoorCybercriminalsMalwareMalware Campaignpluginssupply chainWordpress
ADVERTISEMENT

Related Posts

SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Celebrity Disinformation Campaign – Malware

Celebrity Disinformation Campaign – Malware

February 13, 2025
Global Android SMS Stealer (Campaign)

Global Android SMS Stealer (Campaign)

February 1, 2025
Fake Google Authenticator Sites (Campaign)

Fake Google Authenticator Sites (Campaign)

February 1, 2025
Discord CDN Phishing (Campaign) – Malware

Discord CDN Phishing (Campaign) – Malware

February 1, 2025
OneDrive Pastejacking (Campaign) – Malware

OneDrive Pastejacking (Campaign) – Malware

February 1, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial