CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Adversary-in-the-Middle phishing campaign leveraging Google Ads targets ManageWP credentials

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign is abusing Google sponsored search results to deliver adversary-in-the-middle (AiTM) phishing pages targeting credentials for ManageWP, GoDaddy’s remote WordPress administration platform. Threat actors proxy victim interactions in real time between the fake login page and the legitimate ManageWP service, capturing credentials and 2FA codes via a Telegram-controlled channel. The campaign is designed as an interactive, operator-driven framework rather than a commoditized phishing kit. Targeted users include developers and agencies managing WordPress fleets, with compromised accounts potentially granting access to hundreds of sites per victim. The campaign has impacted at least 200 unique victims to date, according to Guardio Labs.

Timeline

  1. 07.05.2026 00:36 1 articles · 3h ago

    AiTM phishing campaign via Google Ads targets ManageWP credentials with real-time credential relay

    Google Ads are being abused to serve adversary-in-the-middle phishing pages for ManageWP, GoDaddy’s remote WordPress management platform. Victims entering credentials and 2FA codes have their inputs relayed in real time to attackers via Telegram, enabling immediate account takeovers. The campaign uses an operator-driven framework with a dropdown command system and has compromised at least 200 unique victims, according to Guardio Labs.

    Show sources
    Open in new tab

Information Snippets

  • Threat actors are using Google Ads to display fake ManageWP login pages above legitimate search results for the query 'managewp'.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • The phishing pages employ an AiTM proxy to relay victim login attempts in real time to the legitimate ManageWP service while capturing credentials and 2FA codes.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • Captured credentials and 2FA codes are transmitted to a Telegram channel controlled by the attacker.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • The adversary then uses the harvested credentials to log into the victim’s ManageWP account and prompts for a 2FA code, enabling full account takeover.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • Each compromised ManageWP account typically controls hundreds of WordPress sites via the platform’s plugin, which is active on over 1 million websites.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • Guardio Labs infiltrated the attacker’s C2 infrastructure and observed a dropdown command system enabling an interactive and operator-driven phishing flow.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • The framework appears to be a private phishing tool rather than a commoditized kit, with embedded Russian-language terms denouncing responsibility for illegal activity and prohibiting use against Russia-based systems.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources

  • Guardio Labs has identified at least 200 unique victims and has begun notifying affected users.

    First reported: 07.05.2026 00:36
    1 source, 1 article
    Show sources