{ "id": "3e74037f-66ac-409f-85fb-819bf00094a4", "created_at": "2026-04-06T00:19:03.734937Z", "updated_at": "2026-04-10T03:38:19.493179Z", "deleted_at": null, "sha1_hash": "89951f8270cd950887f5acf99c65638d2c68b6de", "title": "Sansec Threat Research \u0026 News", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4855615, "plain_text": "Sansec Threat Research \u0026 News\r\nArchived: 2026-04-05 22:49:28 UTC\r\nSansec specializes in digital skimming since 2015. We are often \"first at the scene\" to investigate high profile\r\nbreaches and publish regularly about our discovery of new attack vectors.\r\nMass PolyShell attack wave hits 471 stores in one hour\r\n2026-03-30 Sansec detected 471 stores compromised in a single hour as attackers exploit the PolyShell\r\nvulnerability at scale. The attack injects obfuscated JavaScript from the freshly registered domain\r\nlanhd6549tdhse.top. New victims are still coming in every minute.\r\nskimming magecart magento adobe-commerce +2\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 1 of 47\n\n2026-03-24 Sansec discovered a payment skimmer that uses WebRTC DataChannels to receive its payload and\r\nexfiltrate stolen data, bypassing CSP and HTTP-based security tools.\r\nskimming magecart skimmer webrtc +2\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\n2026-03-17 PolyShell lets attackers upload executable files to any Magento or Adobe Commerce store via the\r\nREST API. Sansec has now observed attacks on 79.5% of all stores. No official patch exists for production\r\nversions. Many stores run web server configurations that enable remote code execution (RCE) or ...\r\nskimming magento adobe-commerce rce +3\r\nDigital skimmer hits global supermarket chain\r\n2026-02-20 Sansec discovered a payment skimmer on the online store of a top-10 global supermarket chain.\r\nDespite repeated attempts to alert the company, the skimmer is still in place after 4 days.\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 2 of 47\n\nskimming magecart skimmer prestashop\r\nBuilding a faster YARA engine in pure Go\r\n2026-02-18 We built a pure Go YARA engine that's 6.8x faster for text-based scanning, with no C dependencies. It\r\nnow processes over 57,000 scans per day in production, and we're open-sourcing it today.\r\nskimming ecomscan yara yargo +1\r\nClaude finds 353 zero-days on Packagist\r\n2026-01-22 We built an AI-powered security pipeline to audit popular ecommerce extensions on Packagist. The\r\nvulnerabilities we found range from password leaks to full remote code execution.\r\nskimming magento adobe-commerce supply-chain +1\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 3 of 47\n\nThe billion-dollar security.txt problem\r\n2026-01-16 When Sansec found a keylogger on a major US bank employee site, the hardest part wasn't detecting\r\nthe malware. It was finding someone to tell.\r\nskimming security-txt disclosure enterprise\r\nKeylogger targets 200,000+ employees at major US bank\r\n2026-01-15 Sansec discovered an active keylogger on the employee merchandise store of a top 3 US bank. The\r\nmalware harvests all form data (including passwords and personal information) from over 200,000 potential\r\nvictims.\r\nskimming magecart skimmer keylogger +1\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 4 of 47\n\nConnectPOS leaked Github secrets for years\r\n2026-01-12 Sansec discovered that ConnectPOS has been showing their Github credentials on their site for 4\r\nyears. This would enable attackers to slip malicious code into each of the thousands of ConnectPOS retail\r\ninstallations. Sansec recommends to verify integrity of installed code.\r\nskimming supply-chain magento connectpos +2\r\nCritical backdoor found in MGT Varnish extension\r\n2025-12-15 Sansec discovered an open backdoor in MGT Varnish, a popular cache manager for online stores.\r\nWhile the backdoor appears to be intended for remote support, it can be exploited by anyone.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 5 of 47\n\nSessionReaper attacks have started, 3 in 5 stores still vulnerable\r\n2025-10-22 Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active\r\nexploitation. Sansec Shield blocked dozens of attacks today. With only 38% of stores patched and exploit details\r\nnow public, mass abuse will follow in the coming hours.\r\nskimming CVE-2025-54236 magento adobe-commerce +6\r\nSessionReaper, unauthenticated RCE in Magento \u0026 Adobe Commerce (CVE-2025-54236)\r\n2025-09-08 SessionReaper (CVE-2025-54236) is a critical bug in Magento \u0026 Adobe Commerce. The bug may\r\nhand full control of a store to unauthenticated attackers. Automated attacks have hit over 50% of all stores\r\nglobally. Merchants should act immediately.\r\nskimming CVE-2025-54236 magento adobe-commerce +5\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 6 of 47\n\nAdobe patches critical Magento admin takeover via menu injection\r\n2025-06-12 A new attack on Adobe Commerce may break the menu bar for admin users. If your menu bar is\r\nmissing, someone is stealing your session via CVE-2025-47110.\r\nskimming\r\nBackdoor found in popular ecommerce components\r\n2025-05-01 Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications\r\nwith the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers\r\ntook full control of ecommerce servers. Sansec estimates that between 500 and 1000 store...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 7 of 47\n\nFound defunct.dat on your site? You've got a problem.\r\n2025-04-03 Sansec found criminals mass-scanning for defunct.dat files which contain GSocket backdoor keys. A\r\nquick scan reveals dozens of infected stores.\r\nskimming\r\nYou have 2 weeks left to set up CSP for your store\r\n2025-03-17 Increasing use of Content Security Policy (CSP) as PCI-DSS 4.0 goes live on April 1st. However, our\r\nresearch shows that most online stores have not enabled CSP reporting - a critical requirement under the new PCI\r\nstandards.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 8 of 47\n\nMerchants left guessing at last-minute PCI-DSS u-turn\r\n2025-03-06 Merchants outraged as PCI-SSC changes compliance criteria just weeks before the new regulation\r\ncomes into effect.\r\nskimming\r\nMagento Security Release APSB25-08 [Impact Analysis]\r\n2025-02-12 Critical (CVSS 9.4) release enables attackers to take control of customer accounts.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 9 of 47\n\nSorry, client-side security does not work\r\n2025-02-03 Browser-based protection can easily be bypassed by the majority of digital skimming attacks.\r\nskimming\r\nGoogle services abused in skimming campaigns\r\n2024-12-31 Attackers are abusing Google services like Translate and YouTube to bypass security measures and\r\nexecute malicious campaigns. Recent incidents and strategies employed by these threat actors are outlined below.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 10 of 47\n\nThousands of Adobe Commerce stores hacked in competing CosmicSting campaigns\r\n2024-10-01 Cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. Among the\r\nvictims are large international brands. Seven distinct groups are using CosmicSting attacks to plant malicious code\r\non victim stores.\r\nskimming\r\nCosmicSting attack \u0026 defense overview\r\n2024-09-16 CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in\r\ntwo years. Sansec observes that stores are getting hacked at a rate of 5 to 30 per hour. Merchants need to\r\nimplement these counter measures as soon as possible.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 11 of 47\n\nPersistent backdoors injected on Adobe Commerce via new CosmicSting attack\r\n2024-08-27 In our previous posts, we discussed how threat actors were abusing CosmicSting by injecting\r\nmalicious scripts into CMS blocks. While these attacks continue, we've observed a significant escalation -\r\nattackers are now chaining CosmicSting with CNEXT to achieve remote code execution (RCE). We warne...\r\nskimming\r\nCosmicSting attacks have started hitting major stores\r\n2024-07-12 Almost a month ago, we warned about the CosmicSting attack that threatens 75% of Adobe\r\nCommerce stores. Sansec now observes mass-abuse of this vulnerability in the wild. Stores are getting hacked at a\r\nrate of 5 to 30 per hour, our live tracking reveals. International household brands are among th...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 12 of 47\n\nPolyfill supply chain attack hits 100K+ sites\r\n2024-06-25 The new Chinese owner of the popular Polyfill JS project injects malware into more than 100\r\nthousand sites.\r\nskimming\r\nCosmicSting attack threatens 75% of Adobe Commerce stores\r\n2024-06-18 One week after the release of a critical security fix, just a quarter of all Adobe Commerce and\r\nMagento stores has been patched.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 13 of 47\n\nPersistent Magento backdoor hidden in XML\r\n2024-04-04 Does your Interceptor.php keep getting infected? Attackers are using a new method for malware\r\npersistence on Magento servers. Sansec discovered a cleverly crafted layout template in the database, which was\r\nused to automatically inject malware.\r\nskimming\r\nSansec joins forces with Google's VirusTotal\r\n2024-03-08 Google, via its subsidiary VirusTotal, has selected Sansec as approved security vendor. Sansec will\r\ncontribute its specialized intel on eCommerce security threats to the VirusTotal platform.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 14 of 47\n\nSansec and Europol counter online skimming\r\n2024-01-09 Europol, law enforcement authorities from 17 countries and the European Union Agency for\r\nCybersecurity (ENISA) have joined forces with private sector partners such as Sansec.\r\nskimming\r\nMagento wish list exploit bypasses WAF protection\r\n2023-12-18 Found your Magento 2 store hacked recently? Chances are, that attackers injected a malicious wish\r\nlist. Just before Christmas? Oh the irony.\r\nskimming trojanorder\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 15 of 47\n\nIs your store’s newsletter being used for phishing?\r\n2023-11-10 Cybercriminals in eCommerce are diversifying their targets, now aiming at entire customer databases\r\ninstead of just stealing credit cards. A recent incident revealed this trend: a hacked Magento admin account was\r\nexploited to launch a phishing campaign through the platform's newsletter system, re...\r\nskimming\r\nMalware Persistence via Telegram and GitHub\r\n2023-08-22 Credit card thieves now use Telegram and Github to steal customer data.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 16 of 47\n\nPostponed Exfiltration Evades Detection\r\n2023-05-09 Criminals have come up with a clever way to steal customer data only after the regular checkout flow.\r\nThis stealthy attack is very hard to detect.\r\nskimming\r\nSansec analysis: 12% of online stores leak private backups\r\n2023-02-07 Sansec discovered that one in nine online stores accidentally expose private backups. This mistake\r\ncould have dire consequences. Online criminals are actively scanning for these backups, as they contain\r\npasswords and other sensitive information. Exposed secrets have been used to gain control of s...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 17 of 47\n\nVendors defeat Magento security patch (+ simple check)\r\n2023-01-17 Magento and Adobe Commerce stores around the world have been hammered with Trojan Order\r\nattacks this winter. And even if you have patched or installed Adobe’s 2.4.4 release, you may still be vulnerable.\r\nSansec discovered that several vendors and agencies are actively bypassing this security fix, ...\r\nskimming trojanorder\r\nFake Klaviyo accounts added to Magento\r\n2022-12-21 Are your Magento admin accounts legitimate? Chances are, that a klaviyo_support_XXXX account\r\nwas added this week. Best to quickly remove it and read this article.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 18 of 47\n\nAdobe Commerce merchants to be hit with TrojanOrders this season\r\n2022-11-15 At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and\r\nAdobe Commerce websites in November.\r\nskimming trojanorder\r\nExtortion of Magento merchants\r\n2022-11-07 Sansec has received reports of criminals trying to extort Magento merchants with the message below.\r\nAs long as the sender does not produce evidence, they almost certainly did not steal your sensitive data. Ignoring\r\nthem is best.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 19 of 47\n\nSurge in Magento 2 template attacks\r\n2022-09-22 The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among\r\neCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this\r\narticle we share our findings of 3 template hacks, and hope it will help you if you are confron...\r\nskimming trojanorder\r\nMagento vendor Fishpig hacked, backdoors added\r\n2022-09-13 Fishpig, a vendor of popular Magento-Wordpress integrations, has been hacked. Sansec found that\r\nattackers have injected malware in Fishpig software and taken control of Fishpig servers. Online stores running\r\nFishpig software may now have the \"Rekoobe\" malware installed on their servers,...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 20 of 47\n\nMagento 2 critical vulnerability (CVE-2022-24086 \u0026 CVE-2022-24087)\r\n2022-02-14 Adobe has released two emergency patches for a critical vulnerability in Magento 2. You need to\r\napply both patches, in order. The vulnerability allows unauthenticated remote code execution (RCE), which is the\r\nworst possible type. Actual abuse has already been reported. To illustrate the severity,...\r\nskimming trojanorder\r\nNaturalFreshMall: a Magento Mass Hack\r\n2022-02-08 An investigative report by Sansec researchers on how one vulnerable Magento extension leads to a\r\nmass web store attack, with Magecart attackers using naturalfreshmall.com to hide and serve malware to 500+\r\necommerce websites.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 21 of 47\n\nMagento and the Log4j vulnerability\r\n2021-12-13 Updated Dec 20th. This article describes how Magento is affected by the critical log4j vulnerability,\r\nand what you can (and should) do to prevent a hack. A critical vulnerability in the popular Log4j Java library has\r\nbeen massively exploited since December 1st. It exposes full control to a remote...\r\nskimming\r\nNginRAT parasite targets Nginx\r\n2021-12-01 A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code\r\ninjects itself into a host Nginx application and is nearly invisible. The parasite is used to steal data from\r\neCommerce servers, also known as \"server-side Magecart\". The malware was found o...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 22 of 47\n\nCronRAT malware hides behind February 31st\r\n2021-11-24 In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen\r\nstealth techniques. This malware, dubbed \"CronRAT\", hides in the Linux calendar system on February 31st. It is\r\nnot recognized by other security vendors and is likely to stay undetected...\r\nskimming\r\nNew linux_avp malware hits eCommerce sites\r\n2021-11-18 Sansec discovered a new malicious agent \"linux_avp\" that hides as system process on eCommerce\r\nservers. It is being deployed around the world since last week and takes commands from a control server in\r\nBeijing.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 23 of 47\n\nCase Study: How eCommerce Hackers Silently Steal Credit Card Data\r\n2021-05-03 The majority of online stores have never been hacked and, as a result, take a somewhat lax approach\r\nto cybersecurity. However, no less than 20% of all online stores get hacked every year, which means it might only\r\nbe a matter of time until yours becomes the next victim.\r\nskimming\r\nGoogle Apps Script used to steal data\r\n2021-02-18 The Google business application platform Apps Script is used to funnel stolen personal data, Sansec\r\nlearned. Attackers use the reputation of the trusted Google domain script.google.com to evade malware scanners\r\nand trust controls like CSP. Thanks to some data from @sansecio, I came across another...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 24 of 47\n\nFake payment page before checkout on Shopify and BigCommerce\r\n2020-12-24 A new type of web skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zen Cart\r\nand WooCommerce. Hosted (SaaS) ecommerce platforms like BigCommerce and Shopify do not allow custom\r\nJavaScript on their checkout pages. This skimmer evades that by showing a fake payment form and record...\r\nskimming\r\neCommerce trojan accidentally leaks victims\r\n2020-12-18 Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked\r\neCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim stores in a deleted\r\nfile, which unveils the depth of this hacking campaign. The RAT is used to gain illic...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 25 of 47\n\nPersistent parasite in EOL Magento 2\r\n2020-12-02 Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores,\r\nonly to exploit them right before Black Friday, Sansec research shows. The flaw's presence would ensure future\r\naccess for the attackers, even if their primary operation was blown. Sansec has be...\r\nskimming\r\nPayment skimmer hides in social media buttons\r\n2020-11-26 Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout\r\npages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads the payload\r\nand executes the concealed code. While skimmers have added their malicious payload to ben...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 26 of 47\n\nCardbleed: 3% of Magento install base hacked\r\n2020-09-14 Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base) Over\r\nthe weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented\r\ncampaign to date. It was a typical Magecart attack: injected malicious code would inter...\r\nskimming\r\nNorth Korean hackers are skimming US and European shoppers\r\n2020-07-06 North Korean state sponsored hackers are implicated in the interception of online payments from\r\nAmerican and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN\r\nCOBRA group were found to be breaking into online stores of large US retailers and planting payment...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 27 of 47\n\nDigital skimmer runs entirely on Google, defeats CSP\r\n2020-06-22 A newly discovered skimming campaign runs entirely on Google servers, Sansec research shows. The\r\nnovel malware sends stolen credit cards directly to Google Analytics, evading security controls like CSP.\r\nTypically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its locat...\r\nskimming\r\nLockdown: Stores closed, online stores hacked\r\n2020-06-15 A day after Claire's (fashion retailer) closed its 3,000 stores, an anonymous party registered claires-assets.com. Later, Claire's got hacked.\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 28 of 47\n\nDo these two things to keep your Magento 1 store running after June\r\n2020-05-28 Over a 100 thousands Magento 1 stores will be running after Adobe terminates support in June (end-of-life). Many merchants need more time to transition to Magento 2 or another platform. No need to panic, your\r\nstore will not suddenly crash on July 1st. But you should make two important arrangement...\r\nskimming magento 1 deadline\r\nWill Magento 1 stay PCI compliant?\r\n2020-05-08 Magento 1 will no longer receive official updates \u0026 security fixes per July 1st, 2020 (the end-of-life,\r\nor EOL date). Merchants are urged to upgrade to Magento 2, but for many stores this deadline is not feasible.\r\nMerchants want to know: Will my Magento 1 store still be secure after July 1st...\r\nskimming magento 1 pci\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 29 of 47\n\nSansec reveals longest Magecart skimming operation to date [Analysis]\r\n2020-02-25 Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online\r\nprinting platform for more than two and a half years. Our research shows that crooks ran keyloggers to intercept\r\ncustomer payment data and that multiple actors have since been fighting for contr...\r\nskimming\r\nSansec partners with Maxcluster\r\n2020-02-20 Utrecht, February 20; Sansec is proud to announce that it has formed a long-term strategic partnership\r\nwith maxcluster to bring its industry-leading anti-malware technology to the German e-commerce hoster. The\r\nunique alliance, which makes maxcluster the most secure e-commerce hosting platform in ...\r\nskimming maxcluster partnership\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 30 of 47\n\nIndonesian Magecart hackers arrested\r\n2020-01-25 The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on\r\nDecember 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. After the press\r\nconference, one suspect admitted on Indonesian television that he had injected web skimm...\r\nskimming\r\nPayment skimmers have impersonated Sansec\r\n2019-12-02 Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service.\r\nThey have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in Amsterdam\r\nto make it look legitimate. Here is the fraud registration record: Domain Name: sansec.us C...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 31 of 47\n\nAmerican Cancer Society hit by payment skimmer\r\n2019-10-25 Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American\r\nCancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the Cancer.org\r\nshop, which intercepts payments from unsuspecting visitors. Sansec has contacted Cancer.or...\r\nskimming\r\nMagento security extentions vendor got hacked\r\n2019-10-07 The store of a US Magento extension vendor was found compromised. Attackers had write access to\r\nthe server selling extensions. We are awaiting a statement on the integrity of downloaded software. Our malware\r\ncrawlers detected a compromise of Extendware, a vendor of Magento extensions such as \u0026quo...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 32 of 47\n\nFBI recommends malware scanning against skimming\r\n2019-08-17 The FBI warns small and medium-sized businesses and government agencies against the threat of e-skimming. E-skimming occurs when cyber criminals inject malicious code onto a website. Read the original FBI\r\nstatement\r\nskimming fbi malware\r\nSansec at Europol training: 50,000+ stores hacked\r\n2019-08-12 Cementing itself as a global force in the protection against eCommerce fraud, Sansec has been invited\r\nto speak at the fifth edition of Europol’s Training Course on Payment Card Fraud Forensic Investigations in Avila,\r\nSpain. The week-long event, hosted by the Spanish National Police Academy, saw 5...\r\nskimming sansec europol training\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 33 of 47\n\nPCI-SSC/RHISAC quote Sansec: 20% stores reinfected\r\n2019-08-01 The PCI Security Standards Council and the Retail \u0026 Hospitality ISAC alert merchants to the threat\r\nof digital skimming. In its report, it quotes Sansec research, which has found that about 20% of hacked merchants\r\neventually get re-infected. Read the full report here (PDF).\r\nskimming\r\nCritical Magento 2 flaw exploited within 16 hours\r\n2019-05-10 The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw\r\nwas discovered in March and criminals stole admin passwords within 16 hours. Merchants are advised to\r\nimplement emergency measures, even if they had already patched. Update June 12th: While there w...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 34 of 47\n\nSports brand Puma infected with advanced malware\r\n2019-04-29 On April 25th, sports brand Puma Australia got infected with the most sophisticated payment skimmer\r\nto date.\r\nskimming\r\n57 payment gateways from Germany to Brazil targeted\r\n2019-04-29 Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has\r\nglobal reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer to date.\r\nThis skimmer consists of two components: a polymorphic loader, and a sophisticated exfiltra...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 35 of 47\n\nCredit cards of Atlanta Hawks fans stolen\r\n2019-04-24 Online credit card thieves - also known as Magecart - have managed to inject a payment skimmer in\r\nthe online store of the Atlanta Hawks. Fans who ordered merchandize on or after April 20th had their name,\r\naddress and credit card stolen.\r\nskimming\r\nBad extensions now main source of Magento hacks: a solution!\r\n2019-01-29 In October last year I discovered several Magento extension 0days. As it turns out, this was only the\r\ntip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of stores. A group of\r\nMagento professionals have identified 63 vulnerable extensions, and are now releasin...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 36 of 47\n\nLarge sites hacked via Adminer database tool\r\n2019-01-20 This week I discovered that large ecommerce and government sites got hacked via the Adminer\r\ndatabase tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is described in the official\r\ndocumentation, that says: The transfer of the file from the client host to the server...\r\nskimming\r\nPHP tool 'Adminer' leaks passwords\r\n2019-01-17 Update 2019-01-20: the root cause is a protocol flaw in MySQL. Adminer is a popular PHP tool to\r\nadminister MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Attackers can\r\nabuse that to fetch passwords for popular apps such as Magento and Wordpress, and gain con...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 37 of 47\n\nCompeting digital skimmers sabotage each other\r\n2018-11-20 Skimmers found to subtly sabotage each others fraud operations. Competition is grim in the online\r\nskimming business (aka \"MageCart\"). The aggressive MagentoCore skimmer was previously observed to kick\r\ncontending parasites from its victim hosts. But this week, we discovered that the bat...\r\nskimming\r\nMerchants struggle with MageCart reinfections\r\n2018-11-12 1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days MageCart,\r\nthe notorious actors behind massive online card skimming, has been busy. And so have we: our crawlers are\r\ncontinuously tracking the raging battle between card thieves and merchants. It seems that the l...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 38 of 47\n\nBackdoor found in Webgility\r\n2018-10-30 Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to\r\nupgrade to version 345. Update Nov 30th: Webgility has discovered another security issue and urges all customers\r\nto upgrade to version 346. The VC-funded Webgility software contains a backdoor for th...\r\nskimming\r\nUnpublished security flaws (0days) massively exploited\r\n2018-10-23 Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate\r\ncheckout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are\r\nmassively exploiting unpublished security flaws (aka 0days) in popular store exte...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 39 of 47\n\nGerman political party store hacked before election\r\n2018-10-15 The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was\r\nplanted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable information of\r\ncustomers gets sent to a remote server during the checkout process. Because the CSU s...\r\nskimming\r\nMageCart: now with tripwire\r\n2018-10-04 Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were\r\nfound running. Then, their malware would 404 without correct Referer or User-Agent header. And now, Magecart\r\nsounds the alarm when it finds you snooping around, and collects a fingerprint of you on an e...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 40 of 47\n\nABS-CBN next in series of high profile breaches\r\n2018-09-18 While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We\r\nfound their broadcasting giant ABS-CBN − a $740 million conglomerate \u0026 top-500 global Internet destination −\r\nto be hacked. Criminals are running a payment skimmer on ABS-CBNs online store since at ...\r\nskimming\r\nIs your Google Analytics code malicious?\r\n2018-09-06 Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably\r\nnot, as Google Analytics is embedded in pretty much every website these days: \u003cscript type=\"text/javascript\"\u003e\r\n(function() { var ga = document.createElement('script'); ga.ty...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 41 of 47\n\nMagentoCore group hacks 7,339 stores and counting\r\n2018-08-30 A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months.\r\nThe MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google Chrome has\r\nadded the campaign to its blocklist last Saturday, the skimmers are now rapidly replacing \u0026q...\r\nskimming MagentoCore skimmer\r\nHackers breached Magento through helpdesk\r\n2017-12-28 Magento merchants have recently received messages like this: Hey, I strongly recommend you to\r\nmake a redesign! Please contact me if you need a good designer! -- knockers@yahoo.com Upon closer\r\nexamination, the message contains a specially crafted sender that contains an XSS attack: an attempt to...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 42 of 47\n\nCryptojacking found on 2496 online stores\r\n2017-11-07 Does your laptop get hot when visiting your favorite shop? You computer is likely mining\r\ncryptocurrencies to the benefit of a cyberthief. Cryptojacking - running crypto mining software in the browser of\r\nunsuspecting visitors - is quickly spreading around the web. And the landgrab extends to onli...\r\nskimming\r\nWhy ordering HTTP headers is important\r\n2017-05-02 If you code against Akamai hosted sites, you could be rejected because your HTTP library sends\r\nrequest headers in the wrong order. In fact, most libraries use undefined order, as the IETF specification says it\r\ndoesn't matter. In casu: $ URL=http://www.bulgari.com $ UA=\"User-Agent: Mozilla/5....\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 43 of 47\n\nWarning: fake Magento patch 9789 contains virus\r\n2017-04-21 Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr\r\n22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the new\r\nMagento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message...\r\nskimming\r\nA Magento breach analysis: part 1\r\n2017-04-12 Part of a series where Magento security professionals share their case notes, so that we can ultimately\r\ndistill a set of best practices, tools and workflow. Part of the job of running the MageReport service is that I get to\r\ninvestigate tons of hacked stores. About 50-200 new stores get hacked pe...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 44 of 47\n\nAn OpenCart/Magento hacking dashboard\r\n2017-04-07 This post shows how sophisticated Magento hacking operations have become nowadays. While\r\ninvestigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer site: \"GET\r\n/rss/catalog/notifystock/ HTTP/1.1\" 200 5676 \"http://194.87.232.147:777/\"...\r\nskimming\r\nSelf-healing malware restores itself after deletion\r\n2017-02-14 Regular Javascript-based malware is normally injected in the static header or footer HTML definitions\r\nin the database. Cleaning these records used to be sufficient to get rid of the malware. But not anymore: this week\r\na new malware pattern surfaced. Once deleted, it uses a clever database trigge...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 45 of 47\n\nVisbot malware found on 6691 stores [analysis]\r\n2016-12-01 Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The\r\nfirst case was documented as early as March 2015. But being publicly discussed did not stop it from spreading.\r\nWe conducted a global research into 300.000 Magento stores and found active Visbot i...\r\nskimming\r\nCriminals have rewired 3,500 online stores\r\n2015-11-17 Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The\r\nfraud can be traced back as far as May 12th 2015, so if you have bought something at one of these stores in the\r\nlast 6 months, your credit card is likely compromised. We received reports of suspic...\r\nskimming\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 46 of 47\n\nScan your store now\r\nfor malware \u0026 vulnerabilities\r\n$ curl ecomscan.com | sh\r\neComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and\r\nmany more.\r\nLearn more\r\nSource: https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nhttps://sansec.io/labs/2020/01/25/magecart-hackers-arrested/\r\nPage 47 of 47", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/" ], "report_names": [ "magecart-hackers-arrested" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434743, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89951f8270cd950887f5acf99c65638d2c68b6de.pdf", "text": "https://archive.orkl.eu/89951f8270cd950887f5acf99c65638d2c68b6de.txt", "img": "https://archive.orkl.eu/89951f8270cd950887f5acf99c65638d2c68b6de.jpg" } }