A large -scale fishing campaign targets WooCommerce users with a fake safety warning that urges them to download “important patch” that adds a WordPress backdor on the site.
The recipients who take the bait and download the update are actually installing a malicious plugin that creates a hidden administrator account on their website, downloads the web shell payload, and maintains continuously.
Campaign, which was Discovered by patchstack Researchers seem to have a continuity of uniform operation At the end of 2023 That WordPress users were targeted with a fake patches for a med-up vulnerability.
Patchstack says that both expeditions used an unusual set of web shells, similar payload hiding methods and similar email materials.
Fake safety alert
Emails targeting WordPress admins popular WooCommerce E-commerce plugin, using address ‘Help@Security-Vocomers (.) Com.’
The recipients are informed that their websites were targeted by hackers, trying to take advantage of a ‘informal administrative access’ vulnerability.
For the safety of their online stores and data, recipients are advised to download a patch using embedded buttons, in which how to install it with step-by-step instructions.
“We are contacting you about a significant safety vulnerability found in the WooCommerce platform on 14 April 2025,” read the fishing email.
“Warning: Our latest security scan made on April 21, 2025 confirmed that this important vulnerability directly affects your website.”
“We strongly advise you to take immediate measures to secure your store and protect your data,” the email continues to add immediate spirit.
.jpg)
Source: Patchstack
By clicking the ‘Download Patch’ button, it takes the victims to a website that spufs WooCommerce, using a very misleading ‘WooCommėrce (.) Com’ domain, which is only a character which is different from the official, WOOCOMERCE.com.
The malicious domain appoints a homeograph attack technique, where the Lithuanian character “ė” (U +0117) is used instead of “E”, making it easier to miss.
.jpg)
Source: Patchstack
Infection activity
After the victim installing fake safety fixes (“Authentbipus-31297-ID. Jip”), it forms a randomly designated chronzob that runs every minute, attempts to create a new administrator-level user.
Subsequently, the plugin requested the infected site for ‘WooCommerce-Services (.) Com/WPAPI’ through an HTTP get, and receives obfuscated payloads of another stage.
This, in turn, installs several PhP-based web shells under ‘WP-content/upload/,’, including pas-form, P0Wny and WSO.
Patchstack comments that allow complete control of the web shell site and can be used for ad injections, users can be redirected to malicious destinations, listing the server in DDOS botnets, stealing payment card information, or executing the site to execute the site.
To avoid detection, the plugin removes itself from the visible plugin list and also hides the malicious administrator account made.
Patchstack advises owners of the website to examine the 8-character random names, arranged accounts for unusual chronjobs, a folder named ‘Aathbipas-Update’, and outgoing requests to WoCOMMERCE-Services (.
However, the safety firm notes that the danger actors usually change all these indicators after being exposed through public research, so make sure that you do not rely on the narrow-scoping scan.
