WooCommerce admins targeted by fake security patches that hijack sites www.bleepingcomputer.com/news/secu…

A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a “critical patch” that adds a Wordpress backdoor to the site.

Recipients that take the bait and download the update are actually installing a malicious plugin that creates a hidden admin account on their website, downloads web shell payloads, and maintains persistent access.

The campaign, which was discovered by Patchstack researchers, appears to be a continuation of a similar operation in late 2023 that targeted WordPress users with a fake patch for a made-up vulnerability. Patchstack says both campaigns used an unusual set of web shells, identical payload hiding methods, and similar email content.