Threat Research

WordPress Redirect Malware Hidden in Google Tag Manager Code

Sucuri
WordPress Redirect Malware Hidden in Google Tag Manager Code

Attackers exploited a compromised WordPress site by injecting malicious Google Tag Manager (GTM) scripts directly into the database, causing user redirection to a spam domain. This technique avoids file-based detection and has infected over 200 websites, demonstrating how trusted services like GTM can be abused for malicious purposes. #GoogleTagManager #WordPressInjection #spelletjes.nl

Keypoints

  • The malware was injected in the WordPress database tables wp_options and wp_posts rather than theme or plugin files.
  • The malicious GTM container ID used was GTM-PL2J2GLH, loading a remote JavaScript that redirects users to the spam domain spelletjes[.]nl.
  • The infection affects over 200 websites, as identified by PublicWWW data.
  • The attacker likely compromised a wp-admin user to insert the malicious GTM code through the WordPress admin panel.
  • The injected GTM script executes a client-side redirect, bypassing many traditional security filters since it is hosted on a legitimate Google domain.
  • Impact includes damage to user trust, SEO, conversion rates, and increases the risk of security flags or warnings from browsers.
  • Remediation involves removing suspicious GTM tags, scanning for malware or backdoors, updating software, enabling two-factor authentication, and monitoring site activity.

MITRE Techniques

  • [T1071] Application Layer Protocol – Use of Google Tag Manager’s legitimate hosting service to deliver malicious JavaScript and redirect users (‘using a GTM container ID they controlled to load remote JavaScript’).
  • [T1505] Server Software Component – Injection of malicious scripts into the WordPress database (wp_options and wp_posts tables) to execute malicious code without modifying files (‘infection was hidden directly inside the WordPress database’).
  • [T1110] Brute Force – Possible compromise of wp-admin user credentials to inject malicious GTM scripts through the WordPress admin panel (‘likely inserted via the wp-admin panel due to a compromised admin user’).

Indicators of Compromise

  • [GTM Container ID] Malicious Google Tag Manager container used for injection – GTM-PL2J2GLH
  • [Domain] Spam redirect domain – spelletjes[.]nl
  • [URL] Remote JavaScript loading URL – hxxps://www.googletagmanager[.]com/gtm.js?id=GTM-PL2J2GLH
  • [Database Entries] WordPress database fields containing malicious code – wp_options table option_name: ihaf_insert_body, wp_posts table injections

Read more: https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google-tag-manager-code.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint