• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT

 | 

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 

Cybercrime group accessed Google Law Enforcement Request System (LERS)

 | 

China-linked Mustang Panda deploys advanced SnakeDisk USB worm

 | 

Insider breach at FinWise Bank exposes data of 689,000 AFF customers

 | 

Hackers steal millions of Gucci, Balenciaga, and Alexander McQueen customer records

 | 

Fairmont Federal Credit Union 2023 data breach impacted 187K people

 | 

UK ICO finds students behind majority of school data breaches

 | 

INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 62

 | 

Security Affairs newsletter Round 541 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

ShinyHunters Attack National Credit Information Center of Vietnam

 | 

FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • More than 17,000 WordPress websites infected with the Balada Injector in September

More than 17,000 WordPress websites infected with the Balada Injector in September

Pierluigi Paganini October 13, 2023

In September more than 17,000 WordPress websites have been compromised by the Balada Injector malware.

Sucuri researchers reported that more than 17,000 WordPress websites have been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Sucuri states that in recent attacks, the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

“We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.” states the report published by Sucuri. “September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.”

In the recent campaign, threat actors exploited a cross-site scripting (XSS) vulnerability, tracked as CVE-2023-3169, in tagDiv Composer

“The obfuscated injection itself can be found in the “td_live_css_local_storage” option in the wp_options table of the WordPress database.” continues Sucuri.

The researchers observed several attack waves; Is some attacks the malicious script was injected through stay.decentralappps[.]com. The first variation of this injection is detected on over 4,000 sites, while a second variation is on another 1,000+ sites.

In another wave, the threat actors were observed using a malicious script to create rogue WordPress administrator accounts. In the first attacks, the threat actors used the username ‘greeceman’, but later started using auto-generated usernames based on the site’s hostname.

In other attacks, threat actors planted a backdoor in the Newspaper theme’s 404.php file.

Then the attackers switched to wp-zexit plugin installation and concealed the backdoor in the website’s Ajax interface.

On September 21, 2023, the Balada Injector operators registered three new domains within a period of 7 seconds.

In other attacks, experts observed randomized injections in tdw-css-placeholder and is most recent infections decoded scripts tried to load the next-stage malware from different URLs on multiple different subdomains of the three new Balada domains.

    Researchers recommend administrators upgrade the tagDiv Composer plugin to version 4.2 or later, to address the above vulnerability.

    Other recommendations include keeping WordPress components (themes and plugins) updated, remove dormant user accounts, and scan your files for hidden backdoors.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, WordPress)


    facebook linkedin twitter

    Balada injector Cybercrime hacking news information security news IT Information Security malware Pierluigi Paganini Security News Wordpress

    you might also like

    Pierluigi Paganini September 18, 2025
    ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT
    Read more
    Pierluigi Paganini September 18, 2025
    SonicWall warns customers to reset credentials after MySonicWall backups were exposed
    Read more

    leave a comment

    newsletter

    Subscribe to my email list and stay
    up-to-date!

      recent articles

      ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT

      Hacking / September 18, 2025

      SonicWall warns customers to reset credentials after MySonicWall backups were exposed

      Data Breach / September 18, 2025

      CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

      Uncategorized / September 18, 2025

      Jaguar Land Rover will extend its production halt into a third week following a cyberattack

      Security / September 18, 2025

      China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

      APT / September 17, 2025

      To contact me write an email to:

      Pierluigi Paganini :
      pierluigi.paganini@securityaffairs.co

      LEARN MORE

      QUICK LINKS

      • Home
      • Cyber Crime
      • Cyber warfare
      • APT
      • Data Breach
      • Deep Web
      • Digital ID
      • Hacking
      • Hacktivism
      • Intelligence
      • Internet of Things
      • Laws and regulations
      • Malware
      • Mobile
      • Reports
      • Security
      • Social Networks
      • Terrorism
      • ICS-SCADA
      • POLICIES
      • Contact me

      Copyright@securityaffairs 2024

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
      Cookie SettingsAccept All
      Manage consent

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT