• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • More than 17,000 WordPress websites infected with the Balada Injector in September

More than 17,000 WordPress websites infected with the Balada Injector in September

Pierluigi Paganini October 13, 2023

In September more than 17,000 WordPress websites have been compromised by the Balada Injector malware.

Sucuri researchers reported that more than 17,000 WordPress websites have been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August.

The Balada injector is a malware family that has been active since 2017. The malware supports multiple attack vectors and persistence mechanisms. The malicious code was first discovered in December 2022 by AV firm Doctor Web.

“Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.” reads the report published by Dr Web. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”

Sucuri states that in recent attacks, the threat actors targeted vulnerable tagDiv’s premium themes. The experts discovered over 9,000 websites infected with Balada Injector by exploiting vulnerabilities in the Newspaper theme vulnerability.

“We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites.” states the report published by Sucuri. “September was also a very challenging month for thousands of users of the tagDiv Newspaper theme. The Balada Injector malware campaign performed a series of attacks targeting both the vulnerability in the tagDiv Composer plugin and blog administrators of already infected sites.”

In the recent campaign, threat actors exploited a cross-site scripting (XSS) vulnerability, tracked as CVE-2023-3169, in tagDiv Composer

“The obfuscated injection itself can be found in the “td_live_css_local_storage” option in the wp_options table of the WordPress database.” continues Sucuri.

The researchers observed several attack waves; Is some attacks the malicious script was injected through stay.decentralappps[.]com. The first variation of this injection is detected on over 4,000 sites, while a second variation is on another 1,000+ sites.

In another wave, the threat actors were observed using a malicious script to create rogue WordPress administrator accounts. In the first attacks, the threat actors used the username ‘greeceman’, but later started using auto-generated usernames based on the site’s hostname.

In other attacks, threat actors planted a backdoor in the Newspaper theme’s 404.php file.

Then the attackers switched to wp-zexit plugin installation and concealed the backdoor in the website’s Ajax interface.

On September 21, 2023, the Balada Injector operators registered three new domains within a period of 7 seconds.

In other attacks, experts observed randomized injections in tdw-css-placeholder and is most recent infections decoded scripts tried to load the next-stage malware from different URLs on multiple different subdomains of the three new Balada domains.

    Researchers recommend administrators upgrade the tagDiv Composer plugin to version 4.2 or later, to address the above vulnerability.

    Other recommendations include keeping WordPress components (themes and plugins) updated, remove dormant user accounts, and scan your files for hidden backdoors.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, WordPress)


    facebook linkedin twitter

    Balada injector Cybercrime hacking news information security news IT Information Security malware Pierluigi Paganini Security News Wordpress

    you might also like

    Pierluigi Paganini July 03, 2025
    Europol shuts down Archetyp Market, longest-running dark web drug marketplace
    Read more
    Pierluigi Paganini July 03, 2025
    Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses
    Read more

    leave a comment

    newsletter

    Subscribe to my email list and stay
    up-to-date!

      recent articles

      Europol shuts down Archetyp Market, longest-running dark web drug marketplace

      Cyber Crime / July 03, 2025

      Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

      Uncategorized / July 03, 2025

      Cisco removed the backdoor account from its Unified Communications Manager

      Security / July 02, 2025

      U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

      Cyber Crime / July 02, 2025

      Qantas confirms customer data breach amid Scattered Spider attacks

      Cyber Crime / July 02, 2025

      To contact me write an email to:

      Pierluigi Paganini :
      pierluigi.paganini@securityaffairs.co

      LEARN MORE

      QUICK LINKS

      • Home
      • Cyber Crime
      • Cyber warfare
      • APT
      • Data Breach
      • Deep Web
      • Digital ID
      • Hacking
      • Hacktivism
      • Intelligence
      • Internet of Things
      • Laws and regulations
      • Malware
      • Mobile
      • Reports
      • Security
      • Social Networks
      • Terrorism
      • ICS-SCADA
      • POLICIES
      • Contact me

      Copyright@securityaffairs 2024

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
      Cookie SettingsAccept All
      Manage consent

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT