Find notable cyber news and cases, enriched with sources, timelines, and signals.

WordPress malicious JavaScript redirect campaign

Campaign
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

The WordPress compromise campaign is turning site visits into a malware delivery path, redirecting users to ClickFix-style pages and fake Cloudflare verification screens. Attackers injected malicious JavaScript through functions.php and used remote loaders on brazilc[.]com and porsasystem[.]com to serve the payload. The activity matters because it reaches normal visitors through trusted websites and can hand them off to malware pages. It also hides behind legitimate-looking ads and browser-challenge branding to reduce suspicion.

Related Happenings

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
H score33 First: 03.06.2026 19:29 Last: 03.06.2026 19:29 Sources 1

About this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...

WordPress malware hides C2 data in Steam Community comments

Malware Activity
H score16 First: 01.06.2026 20:04 Last: 01.06.2026 20:04 Sources 1

About this happening: A **WordPress malware** operation has been uncovered on **approximately 1,980 websites**, raising the risk of hidden **command-and-control (C2)** traffic and persistent page injec...

WordPress malware campaign using Steam profile C2 concealment

Campaign
H score37 First: 01.06.2026 20:04 Last: 01.06.2026 20:04 Sources 1

About this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...

Ghost Stadium FIFA World Cup fraud campaign

Campaign
H score41 First: 27.05.2026 14:28 Last: 27.05.2026 14:28 Sources 1

About this happening: A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
H score29 First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Timeline

  1. 08.10.2025 19:43 1 articles · 9mo ago

    Compromised WordPress sites redirect visitors to ClickFix pages

    Exploitation Observed

    Users visiting compromised sites on September 19, 2025 were sent through an infection chain that executed `porsasystem[.]com/6m9x.js`, then `porsasystem[.]com/js.php`, and then directed victims to ClickFix-style pages for malware delivery.

    Show sources
  2. 08.10.2025 19:43 2 articles · 9mo ago

    Sucuri analyzes malicious WordPress JavaScript loader

    Technical Analysis Update

    On October 8, 2025, Sucuri investigators found a compromised WordPress site serving suspicious third-party JavaScript after attackers modified `functions.php`; the loader sent HTTP POST requests to `brazilc[.]com`, which returned code that loaded `porsasystem[.]com` and a hidden 1x1 pixel iframe mimicking Cloudflare challenge assets such as `cdn-cgi/challenge-platform/scripts/jsd/main.js` to redirect site visitors.

    Show sources