WordPress malicious JavaScript redirect campaign
Campaign
Summary
Hide ▲
Show ▼
The WordPress compromise campaign is turning site visits into a malware delivery path, redirecting users to ClickFix-style pages and fake Cloudflare verification screens. Attackers injected malicious JavaScript through functions.php and used remote loaders on brazilc[.]com and porsasystem[.]com to serve the payload. The activity matters because it reaches normal visitors through trusted websites and can hand them off to malware pages. It also hides behind legitimate-looking ads and browser-challenge branding to reduce suspicion.
Related Happenings
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
WordPress malware hides C2 data in Steam Community comments
Malware Activity
H score16
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
WordPress malware hides C2 data in Steam Community comments
Malware ActivityAbout this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...
WordPress malware campaign using Steam profile C2 concealment
Campaign
H score37
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
WordPress malware campaign using Steam profile C2 concealment
CampaignAbout this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
Ghost Stadium FIFA World Cup fraud campaign
Campaign
H score41
First: 27.05.2026 14:28
Last: 27.05.2026 14:28
Sources 1
About this happening:
A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Ghost Stadium FIFA World Cup fraud campaign
CampaignAbout this happening: A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score29
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
08.10.2025 19:43 1 articles · 9mo ago
Compromised WordPress sites redirect visitors to ClickFix pages
Exploitation ObservedUsers visiting compromised sites on September 19, 2025 were sent through an infection chain that executed `porsasystem[.]com/6m9x.js`, then `porsasystem[.]com/js.php`, and then directed victims to ClickFix-style pages for malware delivery.
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
-
08.10.2025 19:43 2 articles · 9mo ago
Sucuri analyzes malicious WordPress JavaScript loader
Technical Analysis UpdateOn October 8, 2025, Sucuri investigators found a compromised WordPress site serving suspicious third-party JavaScript after attackers modified `functions.php`; the loader sent HTTP POST requests to `brazilc[.]com`, which returned code that loaded `porsasystem[.]com` and a hidden 1x1 pixel iframe mimicking Cloudflare challenge assets such as `cdn-cgi/challenge-platform/scripts/jsd/main.js` to redirect site visitors.
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43