Last month, we shared information about yet another series of ongoing massive infections using multiple different vectors to inject malicious scripts into WordPress websites.
Shortly after, the campaign changed the domain names used in its scripts. Now it mainly uses hotopponents[.]site and learningtoolkit[.]club.
At the time of this writing, PublicWWW finds the most common patterns of this malware on thousands of sites:
- “var _0xfcc4=” – 8501 sites
- “hotopponents.site/site.js” – 3636 sites
Multiple variations of the injected scripts have been found.