SoakSoak: Payload Analysis – Evolution of Compromised Sites – IE 11

Thousands of WordPress sites have been hit by the SoakSoak attack lately. At this moment we know quite a lot about it; it uses the RevSlider vulnerability as a point of penetration, then uploads a backdoor and infects all websites that share the same server account. This means websites that don’t use the RevSlider plugin can be infected too. The visitor-facing part of the infection consists of these two files:

  • wp-includes/js/swfobject.js — hackers append it with an encrypted code that loads a malicious script from hxxp://soaksoak . ru/xteas/code (thus SoakSoak).
  • wp-includes/template-loader.php — in this file, hackers add code that makes WordPress load the infected swobject.js on every page.

However, it’s not always SoakSoak and not always just two files. On some sites we see a variation of this malware.

Read More

RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise

Yesterday we disclosed a large malware campaign targeting and compromising over 100,000 WordPress sites, and growing by the hour. It was named SoakSoak due to the first domain used in the malware redirection path ( After a bit more
Read More

SoakSoak Malware Compromises 100,000+ WordPress Websites

Sucuri - SoakSoak RU Blacklisted

This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from Our analysis is showing impacts in the order of 100's of thousands of WordPress specific websites. We cannot
Read More

Malvertising on a Website Without Ads

Malicious Fake Flash Download

When you first configure your website, whether it be WordPress, Joomla, Drupal, or any other flavor of the month, it is often in its purest state. Unless ofcourse the server was previously compromised, which in it of itself is another conversation
Read More

Targeted Phishing Against GoDaddy Customers


I do get a lot of phishing emails, we all do, but as security professionals we tend to recognize them immediately. Either the syntax is wrong, or it's missing a name. When you get them from a bank you don't even deal with that's a pretty good
Read More

Critical vulnerability affecting HD FLV Player

Sucuri - HD FLV Player - Download File

We've been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla!, WordPress and custom websites. It was silently patched on Joomla! and WordPress, leaving the custom website version vulnerable. Furthermore, websites
Read More

IIS, Compromised GoDaddy Servers, and Cyber Monday Spam

Bing Cyber Monday Results

While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what
Read More

Leveraging the WordPress Platform for SPAM

Hacker installed Basic WordPress

We’ve all seen WordPress comment and pingback spam, but thanks to strict moderation regimes and brilliant WordPress plugins that focus strictly on SPAM comments, comment spam isn’t a major problem for most websites these days. I have seen however, a n
Read More

Security Advisory – High Severity– WordPress Download Manager

Sucuri- WP-DownloadManager-Ajaxcall

Advisory for: WordPress Download Manager Security Risk: Very High Exploitation level: Easy/Remote DREAD Score: 9/10 Vulnerability: Code Execution / Remote File Inclusion Patched Version: <2.7.5 If you’re using the popular WP Download M
Read More

Security advisory – High severity – InfiniteWP Client WordPress plugin

Advisory for: InfiniteWP Client for WordPress Security Risk: High (DREAD score : 8/10) Exploitation level: Easy/Remote Vulnerability: Privilege escalation and potential Object Injection vulnerability. Patched Version: 1.3.8 If you’re using the
Read More