A sophisticated phishing campaign is targeting WooCommerce users with fraudulent emails urging them to install a fake “critical patch” that instead deploys backdoors on their websites. The campaign, first reported by Patchstack1, mimics legitimate WooCommerce communications using domain spoofing techniques and delivers malware capable of creating hidden admin accounts and exfiltrating sensitive data.
Campaign Overview
The attackers are sending emails that reference a fabricated vulnerability, such as “Unauthenticated Administrative Access” (CVE-2025-XXXX), to trick WooCommerce administrators into downloading malicious ZIP files. These emails use internationalized domain names (IDNs) with homograph characters—for example, replacing the “e” in “woocommerce” with an “ė” (woocommėrce[.]com)—to appear legitimate2. Once executed, the payload creates hidden administrative accounts, drops web shells (including P.A.S.-Fork and WSO variants), and establishes communication with attacker-controlled servers.
Technical Analysis
The malware employs several evasion techniques, including obfuscated credentials and cron jobs for persistence. Researchers have identified multiple domains used in the campaign, such as woocommerce-monitor.com and woocommerce-shield.com, which redirect victims to malicious ZIP files like authbypass-update-31297-id.zip3. The payload also exfiltrates data to endpoints such as woocommerce-services[.]com/wpapi, indicating a structured command-and-control (C2) infrastructure.
Mitigation and Detection
To defend against this campaign, WooCommerce administrators should:
- Verify sender domains: Official communications will only come from
@woocommerce.comor@automattic.com. - Scan for anomalies: Check for unexpected admin accounts, cron jobs, or unfamiliar plugins.
- Update software: Ensure WordPress, WooCommerce, and all plugins are running the latest versions.
Security teams should also monitor for unusual outbound traffic to known malicious domains and inspect server logs for signs of web shell activity.
Conclusion
This campaign highlights the increasing use of homograph attacks and fake security advisories in phishing operations. Organizations using WooCommerce should remain vigilant and implement strict email verification protocols to prevent compromise. Further details on the attack methodology and indicators of compromise (IoCs) can be found in advisories from The Hacker News1 and WooCommerce2.
References
- “WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors,” The Hacker News, Apr. 2025.
- “Developer Advisory: Phishing Campaign Targeting WooCommerce Stores,” WooCommerce Developer Blog, Apr. 22, 2025.
- “WooCommerce Phishing Campaign Uses Fake Patch to Lure Victims into Installing Backdoors,” TechRadar, Apr. 2025.
- “Vulners Database Entry: THN:9A9CE35BD8AF578AD9C89226FA1D8046,” Vulners, 2025.
