article featured image


A malware distribution operation known as Balada Injector has been active since 2017, and it is believed that it has infected over a million WordPress sites.

According to GoDaddy’s Sucuri, the massive campaign “leverages all known and recently discovered theme and plugin vulnerabilities” to compromise WordPress sites. The attacks have been observed to occur in waves every few weeks.

This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites.


Rogue CAPTCHA Pages

Users are encouraged to enable notifications to ‘Please Allow to verify, that you are not a robot,’ on rogue CAPTCHA pages so that the actors can deliver spam advertisements. The websites also provide bogus tech help and fraudulent lottery prizes.

The research expands on findings from Doctor Web, which described a Linux malware family that targets WordPress sites through vulnerabilities in more than two dozen plugins and themes.

During the course of those years, Balada Injector has used over a hundred different domains and a wide variety of techniques to exploit various security flaws (such as HTML injection and Site URL), mostly targeting the wp-config.php file in an effort to steal database credentials.

The attacks are also designed to hunt for tools like adminer and phpmyadmin that may have been left behind by site administrators after completing maintenance activities, as well as to read or download arbitrary site files such backups, database dumps, log and error files, as per The Hacker News.

Fake WordPress Admin Users

Finally, the malware generates fake WordPress admin users, harvests data stored on the underlying hosts, and leaves backdoors for persistent access.

Balada Injector then conducts broad searches from top-level directories associated with the compromised website’s file system in order to find writable directories belonging to other sites.

Most commonly, these sites belong to the webmaster of the compromised site and they all share the same server account and the same file permissions. (…) In this manner, compromising just one site can potentially grant access to several other sites ‘for free.’


If these attack paths fail, the administrator password is brute-forced using a set of 74 predefined credentials. As a result, WordPress users should keep their website software up to date, remove unused plugins and themes, and use strong WordPress admin passwords.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.