This threat involves a malicious campaign targeting WordPress websites by injecting harmful JavaScript code into theme-related files, specifically the functions.php file. The injected code references legitimate services like Google Ads to evade detection but acts as a remote loader by sending HTTP POST requests to attacker-controlled domains (e.g., brazilc[.]com). This domain responds with dynamic payloads, including JavaScript files hosted on porsasystem[.]com, which perform user redirection to phishing pages mimicking Cloudflare’s browser verification challenges. These phishing pages are generated using the IUAM ClickFix Generator kit, enabling attackers to create highly customizable and convincing fake verification pages that trick users into executing malicious commands. The phishing kit also manipulates clipboard content and detects victim operating systems to tailor malware delivery, including information stealers like DeerStealer and Odyssey Stealer (targeting macOS). A novel technique called cache smuggling is employed, where malicious payloads are preloaded into the browser cache disguised as innocuous files (e.g., JPEG images) and executed locally via obfuscated PowerShell scripts without downloading additional files or communicating with command-and-control servers. This stealth approach complicates detection and mitigation. The campaign exploits common WordPress vulnerabilities such as outdated themes and weak administrative controls, enabling persistent access and widespread infection. The threat landscape is exacerbated by the availability of commercial phishing kits that lower the technical barrier for attackers, facilitating large-scale, multi-platform phishing and malware campaigns.

European organizations using WordPress for their websites, especially those in e-commerce, media, and public sectors, face significant risks from this campaign. The injected JavaScript can redirect legitimate visitors to phishing sites that harvest credentials or deliver malware, potentially leading to data breaches, credential theft, and unauthorized access to corporate networks. The use of sophisticated evasion techniques like cache smuggling and obfuscated PowerShell scripts increases the likelihood of prolonged undetected infections, complicating incident response efforts. The multi-platform nature of the malware, including targeting macOS systems, broadens the scope of affected endpoints within organizations. Disruption of customer trust and brand reputation is a likely consequence if visitors are compromised through legitimate corporate websites. Additionally, the campaign’s ability to bypass common security controls such as antivirus and web filters raises the risk of successful exploitation. The financial and operational impact can be substantial, including regulatory penalties under GDPR if personal data is compromised. The threat also poses risks to supply chain security if compromised WordPress sites serve as vectors for further attacks.

1. Immediately audit all WordPress installations for unauthorized modifications, focusing on theme files like functions.php and other core components. 2. Enforce strict update policies for WordPress core, themes, and plugins to eliminate known vulnerabilities exploited by attackers. 3. Implement file integrity monitoring solutions to detect unexpected changes in website files in real-time. 4. Harden WordPress administrative access by enforcing strong, unique passwords, multi-factor authentication, and limiting login attempts. 5. Conduct regular security scans using specialized tools that detect malicious JavaScript injections and anomalous administrator accounts. 6. Employ web application firewalls (WAFs) with custom rules to block suspicious HTTP POST requests and known malicious domains such as brazilc[.]com and porsasystem[.]com. 7. Monitor DNS and network traffic for connections to known phishing infrastructure and TDS domains associated with this campaign. 8. Educate website administrators and users about phishing tactics, especially the use of fake browser verification pages and clipboard manipulation. 9. Use endpoint detection and response (EDR) tools to identify obfuscated PowerShell execution and suspicious cache usage indicative of cache smuggling techniques. 10. Collaborate with hosting providers and security vendors to rapidly remediate compromised sites and share threat intelligence.