Large Sign1 Marketing campaign Infects 39,000+ WordPress Websites with Rip-off Redirects


A large malware marketing campaign dubbed Sign1 has compromised over 39,000 WordPress websites within the final six months, utilizing malicious JavaScript injections to redirect customers to rip-off websites.

The latest variant of the malware is estimated to have contaminated a minimum of 2,500 websites over the previous two months alone, Sucuri mentioned in a report revealed this week.

The assaults entail injecting rogue JavaScript into legit HTML widgets and plugins that permit for arbitrary JavaScript and different code to be inserted, offering attackers with a possibility so as to add their malicious code.


The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which finally facilitates redirects to a VexTrio-operated site visitors distribution system (TDS) however provided that sure standards are met.

What’s extra, the malware makes use of time-based randomization to fetch dynamic URLs that change each 10 minutes to get round blocklists. These domains are registered a number of days previous to their use in assaults.

“Some of the noteworthy issues about this code is that it’s particularly trying to see if the customer has come from any main web sites reminiscent of Google, Fb, Yahoo, Instagram and so forth.,” safety researcher Ben Martin said. “If the referrer doesn’t match to those main websites, then the malware won’t execute.”

Website guests are then taken to different rip-off websites by executing one other JavaScript from the identical server.

The Sign1 marketing campaign, first detected within the second half of 2023, has witnessed a number of iterations, with the attackers leveraging as many as 15 totally different domains since July 31, 2023.

It is suspected that WordPress websites have been taken over by the use of a brute-force assault, though adversaries may additionally leverage safety flaws in plugins and themes to acquire entry.


“Most of the injections are discovered inside WordPress customized HTML widgets that the attackers add to compromised web sites,” Martin mentioned. “Very often, the attackers set up a legit Simple Custom CSS and JS plugin and inject the malicious code utilizing this plugin.”

This strategy of not inserting any malicious code into server information permits the malware to remain undetected for prolonged durations of time, Sucuri mentioned.

Notify of
Inline Feedbacks
View all comments
Previous Post
Connectwise, F5 Software Flaws

China-Linked Group Breaches Networks through Connectwise, F5 Software program Flaws

Next Post
StrelaStealer Phishing Attack

New StrelaStealer Phishing Assaults Hit Over 100 Organizations in E.U. and U.S.

Related Posts