• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • More than 17,000 WordPress websites infected with the Balada Injector in September

More than 17,000 WordPress websites infected with the Balada Injector in September

Pierluigi Paganini October 13, 2023

In September more than 17,000 WordPress websites have been compromised by the Balada Injector malware.

Sucuri researchers reported that more than 17,000 WordPress websites have been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Sucuri states that in recent attacks, the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

“We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.” states the report published by Sucuri. “September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.”

In the recent campaign, threat actors exploited a cross-site scripting (XSS) vulnerability, tracked as CVE-2023-3169, in tagDiv Composer

“The obfuscated injection itself can be found in the “td_live_css_local_storage” option in the wp_options table of the WordPress database.” continues Sucuri.

The researchers observed several attack waves; Is some attacks the malicious script was injected through stay.decentralappps[.]com. The first variation of this injection is detected on over 4,000 sites, while a second variation is on another 1,000+ sites.

In another wave, the threat actors were observed using a malicious script to create rogue WordPress administrator accounts. In the first attacks, the threat actors used the username ‘greeceman’, but later started using auto-generated usernames based on the site’s hostname.

In other attacks, threat actors planted a backdoor in the Newspaper theme’s 404.php file.

Then the attackers switched to wp-zexit plugin installation and concealed the backdoor in the website’s Ajax interface.

On September 21, 2023, the Balada Injector operators registered three new domains within a period of 7 seconds.

In other attacks, experts observed randomized injections in tdw-css-placeholder and is most recent infections decoded scripts tried to load the next-stage malware from different URLs on multiple different subdomains of the three new Balada domains.

    Researchers recommend administrators upgrade the tagDiv Composer plugin to version 4.2 or later, to address the above vulnerability.

    Other recommendations include keeping WordPress components (themes and plugins) updated, remove dormant user accounts, and scan your files for hidden backdoors.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, WordPress)


    facebook linkedin twitter

    Balada injector Cybercrime hacking news information security news IT Information Security malware Pierluigi Paganini Security News Wordpress

    you might also like

    Pierluigi Paganini July 23, 2025
    Microsoft linked attacks on SharePoint flaws to China-nexus actors
    Read more
    Pierluigi Paganini July 22, 2025
    Cisco confirms active exploitation of ISE and ISE-PIC flaws
    Read more

    leave a comment

    newsletter

    Subscribe to my email list and stay
    up-to-date!

      recent articles

      Microsoft linked attacks on SharePoint flaws to China-nexus actors

      APT / July 23, 2025

      Cisco confirms active exploitation of ISE and ISE-PIC flaws

      Hacking / July 22, 2025

      SharePoint under fire: new ToolShell attacks target enterprises

      Hacking / July 22, 2025

      CrushFTP zero-day actively exploited at least since July 18

      Hacking / July 22, 2025

      Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

      Security / July 22, 2025

      To contact me write an email to:

      Pierluigi Paganini :
      pierluigi.paganini@securityaffairs.co

      LEARN MORE

      QUICK LINKS

      • Home
      • Cyber Crime
      • Cyber warfare
      • APT
      • Data Breach
      • Deep Web
      • Digital ID
      • Hacking
      • Hacktivism
      • Intelligence
      • Internet of Things
      • Laws and regulations
      • Malware
      • Mobile
      • Reports
      • Security
      • Social Networks
      • Terrorism
      • ICS-SCADA
      • POLICIES
      • Contact me

      Copyright@securityaffairs 2024

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
      Cookie SettingsAccept All
      Manage consent

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT