The site is a Web page, which has been linked to mass hacking campaigns targeting WordPress websites. The targeted sites had one trait in common – they had outdated add-ons, which were vulnerable to exploitation. Malware experts first spotted the attacks in question in April 2020. It quickly became evident that the attackers are compromising more and more WordPress pages successfully every day. According to cybersecurity researchers, the attackers have likely breached tens of thousands of Web pages already. According to researchers' estimates, there may be several millions of websites, which are vulnerable and can be exploited by the attacker currently.

Among the add-ons, which are vulnerable to the attackers are:

  • Blog Designer.
  • Total Donation.
  • Easy2Map.
  • WP GDPR Compliance.

It is paramount to note that the attackers are able to exploit only outdated versions of the listed add-ons. If you have updated your add-ons to their latest versions, you do not need to worry about your website being breached. If you are an administrator of a website, it is crucial always to apply the latest updates to your themes and plugins to minimize the chances of your page being breached. The attackers would carry out the attack either by taking advantage of a vulnerability in an add-on, which will allow them to alter the settings of the site or hijacking the session of a WordPress administrator via an XSS vulnerability.

Malware researchers are yet to uncover how the attackers are detecting which sites would be vulnerable to exploitation. However, when the attackers spot a vulnerable site, they will inject a corrupted obfuscated JavaScript payload. The script in question would look through the cookies of the targets to determine whether they are an administrator of a WordPress website. If the attackers detect cookies that match the criteria, they will determine how to proceed with the operation:

  • If the targets are not logged into their administrator profile, the script will direct them to a URL that hosts corrupted advertisements.
  • If the targets are logged into their administrator profile, the corrupted script will try to hijack the active session to plant a PHP backdoor in the WordPress theme of the site.

The PHP backdoor utilized by the attackers is hosted on the '' domain. This is a JavaScript file, which is capable of converting to PHP before getting executed. Next, the backdoor will inject an additional payload, which is fetched from the '' domain, namely '' At the time of the malware experts studying this campaign, this file appeared to be empty, and therefore inactive. However, this can change at any point, as the attackers can change the 'n.txt' file and its contents.

If you are a WordPress administrator, you need to update all the plugins and themes on your Web page regularly. Avoid downloading pirated themes and other illicit content, as these are often used as an infection vector.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.