A big-scale phishing marketing campaign targets WooCommerce customers with a pretend safety alert urging them to obtain a “important patch” that provides a WordPress backdoor to the location.
Recipients that take the bait and obtain the replace are literally putting in a malicious plugin that creates a hidden admin account on their web site, downloads net shell payloads, and maintains persistent entry.
The marketing campaign, which was found by Patchstack researchers, seems to be a continuation of an identical operation in late 2023 that focused WordPress customers with a pretend patch for a made-up vulnerability.
Patchstack says each campaigns used an uncommon set of net shells, an identical payload hiding strategies, and comparable electronic mail content material.
Faux safety alert
The emails focusing on WordPress admins spoof the favored WooCommerce e-commerce plugin, utilizing the handle ‘assist@security-woocommerce[.]com.’
Recipients are knowledgeable that their web sites had been focused by hackers making an attempt to use an ‘unauthenticated administrative entry’ vulnerability.
To guard their on-line shops and information, recipients are suggested to obtain a patch utilizing the embedded button, with step-by-step directions on the way to set up it included within the message.
“We’re contacting you relating to a important safety vulnerability present in WooCommerce platform on April 14, 2025,” reads the phishing emails.
“Warning: Our newest safety scan, carried out on April 21, 2025, has confirmed that this important vulnerability immediately impacts your web site.”
“We strongly advise you to take pressing measures to safe your retailer and defend your information,” continues the e-mail so as to add a way of urgency.
.jpg)
Supply: Patchstack
Clicking on the ‘Obtain Patch’ button takes victims to a web site that spoofs WooCommerce, utilizing a very misleading ‘woocommėrce[.]com’ area that is just one character totally different from the official, woocommerce.com.
The malicious area employs a homograph assault method the place the Lithuanian character “ė” (U+0117) is used as an alternative of an “e,” making it straightforward to overlook.
.jpg)
Supply: Patchstack
Submit-infection exercise
After the sufferer installs the pretend safety repair (“authbypass-update-31297-id.zip”), it creates a randomly named cronjob that runs each minute, making an attempt to create a brand new admin-level consumer.
Subsequent, the plugin registers the contaminated web site through an HTTP GET request to ‘woocommerce-services[.]com/wpapi,’ and fetches a second-stage obfuscated payload.
This, in flip, installs a number of PHP-based net shells underneath ‘wp-content/uploads/,’ together with P.A.S.-Kind, p0wny, and WSO.
Patchstack feedback that these net shells permit full management of the location and might be used for advert injection, redirecting customers to malicious locations, enlisting the server to DDoS botnets, stealing fee card data, or executing ransomware to encrypt the location and extort the proprietor.
To evade detection, the plugin removes itself from the seen plugin listing and in addition hides the malicious administrator account it created.
Patchstack advises web site house owners to scrutinize admin accounts for 8-character random names, uncommon cronjobs, a folder named ‘authbypass-update,’ and outgoing requests to woocommerce-services[.]com, woocommerce-api[.]com, or woocommerce-help[.]com.
Nevertheless, the safety agency notes that risk actors usually change all these indicators as soon as they’re uncovered through public analysis, so be sure to do not depend on narrow-scope scans.
