New Threat Identified October 2025

TL;DR —

Wordfence has uncovered a new sophisticated malware campaign that uses rogue WordPress plugins to hide multi-tiered credit-card skimmers inside fake PNG image files. The plugins contain a couple of PHP files plus PNGs that actually conceal JavaScript payloads; the attackers use randomized plugin and function names and custom obfuscation to evade detection and maintain persistent backdoors. If you run WooCommerce, treat this as high priority: audit installed plugins, scan for PNG files that shouldn’t contain executable content, and rotate payment credentials immediately.

What Wordfence discovered (key details)

  1. Delivery as a rogue plugin: The malware is packaged as a WordPress plugin folder containing two PHP files and two PNG files. The PNGs are not innocuous images — they are used as a covert storage/loader for the skimming JavaScript.
  2. Randomized names and variants: Plugin folder names and PHP function/variable names are randomized per instance (common names seen include things like license-user-kit, jwt-log-pro, cron-environment-advanced, and others). This makes signature-based detection harder.
  3. Custom obfuscation / keyed strings: The code uses a custom obfuscation layer (strings obfuscated and decoded with a shared key) so the malicious strings aren’t obvious on a simple grep. This is deliberately intended to bypass content flagging.
  4. Persistence & staged payloads: The plugin implements a persistence/backdoor layer that allows the attacker to fetch and deploy additional code or skimmers on demand — i.e., the initial malicious plugin can bootstrap further malicious JavaScript to the checkout flow.
  5. Timeline & detection: Wordfence received the original sample in August 2025 and released detection signatures between late August and early September; paid customers received those signatures immediately, with free users receiving them after Wordfence’s standard delay.

Updated indicators of compromise — search these now

  1. Plugin directories that look like three-word names or contain license, jwt, cron, env, task, access in odd combinations (example: license-user-kit, json-task-basic).
  2. PNG files inside plugin folders that are unexpectedly present (PNG files that appear along with .php in a plugin folder). Treat PNG files inside plugin directories as suspicious until verified.
  3. Random / short PHP filenames inside a plugin with otherwise unrelated name.
  4. Obfuscated decode functions — search for common decode patterns and for any function that returns a long decoded/concatenated string — these are often the decode routine for the PNG payload.
  5. Unexpected outbound requests from PHP processes or POSTs to unknown external domains originating from checkout endpoints.

If you suspect that your site is compromised then get in touch – we will fix it

Now on with the rest of the blog…

 

How to Check If a Website is Affected by Credit Card Skimming Malware

Although credit card skimmers can be hard to spot, you can identify them using various security scanning approaches:

1. Manual Code Inspection

  • Check for suspicious JavaScript files in wp-content/uploads, wp-includes, and theme/plugin directories.
  • Look for obfuscated or encoded scripts containing functions like eval(), atob(), decodeURI(), document.write(),window.ww = new WebSocket(), etc.
  • Identify XOR-encrypted character arrays used in malicious scripts.The array seems to contain Characters that are XOR encrypted with the number 42
  • Inspect WooCommerce checkout pages for unauthorized form elements or injected scripts.

2. Browser Developer Tools (Client-Side Check)

  • Open the checkout page and use DevTools → Network Tab to check outgoing requests.
  • Look for unknown third-party domains collecting credit card details.
  • Inspect the Console Tab for JavaScript errors or suspicious activities.

3. Security Plugins & Scanners (Automated Scans)

  • Use Wordfence, MalCare, or Sucuri Security to scan for malware and unauthorized modifications.

4. Server-Side Security Scan & Malware Protection

  • Many hosting providers offer built-in malware scanning tools. Examples include:
  • In our case, our malware protection add-on successfully detected the skimmer code on customer websites.

We have identified that this code was inserted into the theme’s functions.php file and the wp-includes/functions.php file. We detected that when this code is present on one of our customer’s websites, it replaces the WooCommerce PayPal Advanced Credit Card form with a custom credit card form. As a result, when customers attempt to place an order using their credit card, the malware executes and steals their credit card details.

Analysis of the Malicious JavaScript Code

  • Page Targeting: The script activates only on the /checkout page.
  • Obfuscation: It generates a unique script ID and XOR-encrypts a WebSocket URL to avoid detection.
  • WebSocket Connection: The script establishes a WebSocket ( ww) that allows attackers to remotely send and execute JavaScript on the checkout page.
  • Real-time Data Theft: The new Function(e.data)(); function executes the attacker’s commands dynamically, stealing customer credit card details.
  • Self-Destruction: If the WebSocket closes, the script removes itself to prevent detection.

 

Decoding the Malicious JavaScript Code

Let’s deobfuscate the following array from the malicious javascript code:

We can use a Python script or online tools such as CyberChef or deobfuscate.io for JavaScript deobfuscation.

I have already performed the deobfuscation for this array. You can view the results here:

🔗 CyberChef Deobfuscation Result

Indicators of Compromise (IoC)

From the decoded result, the first identified Indicator of Compromise (IoC) is:

Understanding the Malicious Behavior

  • The current URL of the infected webpage is passed as a parameter when the script executes.
  • The script connects to cpeciadogfoods[.]com via WebSocket, sending the compromised site’s URL.
  • The attacker responds with another JavaScript payload, intended to steal credit card and other sensitive information.

 

How to Verify This on an Infected Website

To further investigate, you can use Browser Developer Tools (Client-Side Check):

  1. Open the checkout page.
  2. Navigate to DevTools → Network Tab.
  3. Look for outgoing requests to cpeciadogfoods.com or other suspicious domains.

Below is a screenshot of my test results from an infected checkout page, showing the network activity confirming this malicious behavior.

A list of C2s I identified can be found below:

 

And here is another form of inject related to this campaign:

Where Malicious Code is Found

  1. Direct File Injection:

    • Hackers may gain access to the server and inject the script directly into HTML, JavaScript, or PHP files.
    • Commonly targeted files include functions.php, wp-includes/functions.php, and WooCommerce checkout-related templates.

  2. Database Injection:

    • The malicious code can be stored in the database, often within wp_options, wp_posts, or wp_usermeta tables.
    • This can cause the script to be executed dynamically when certain pages load, making it harder to detect.

  3. Third-Party Integrations:

    • Attackers exploit vulnerabilities in plugins, themes, or extensions to inject skimming scripts.
    • Compromised third-party scripts (such as analytics or chatbot services) can also be used to load malware externally.

 

How to Remove the WooCommerce Skimming Malware

1. Identifying and Removing Malicious Code

  • Manually inspect and remove injected scripts from functions.php, wp-includes, and other core files.

  • Use WooCommerce security scanners to automate detection and cleanup.

2. Change Credentials

  • Update all admin passwords, database credentials, SSH, SFTP, and cPanel credentials.
  • Enforce strong passwords and enable two-factor authentication (2FA).

3. Apply Security Patches

  • Update WordPress, WooCommerce, themes, and plugins to their latest versions.
  • Remove unused or abandoned plugins/themes.

4. Scan for Backdoors

  • Check for hidden admin users in the wp_users table.
  • Inspect scheduled tasks (wp-cron.php) for unauthorized scripts.
  • Monitor log files for suspicious login attempts.

 

Protecting Against Future Threats

1. Implement Security Measures

  • Website Firewall Protection: Use security plugins, Cloudflare, and server-level firewalls.
  • Regular Security Audits: Conduct weekly malware scans and monitor unauthorized changes.
  • File Integrity Monitoring: Track file modifications to detect unauthorized script injections.
  • Secure Development Practices: Follow secure coding standards to prevent vulnerabilities.
  • Backup Regularly: Maintain daily backups for quick recovery in case of an attack.

 

 

Conclusion

Credit card skimming attacks on WooCommerce websites are becoming increasingly sophisticated, often leveraging obfuscation and WebSocket connections to steal sensitive data. Regular WooCommerce security monitoring, malware scanning, and implementing best practices can help prevent and mitigate such attacks.

By following the detection, removal, and prevention strategies outlined in this post, website owners can secure their WooCommerce stores and protect customer payment data. Always ensure that your website remains up to date, use strong security measures, and proactively monitor for suspicious activities.

For enhanced security, consider using server-side malware protection, firewalls, and routine file integrity checks to detect unauthorized modifications before they cause harm.

Stay vigilant and keep your WooCommerce store safe!