At the end of February, we wrote about a massive wave of site infections that pushed fake browser updates.
In the beginning of March, the attack evolved into redirecting site visitors to sketchy ad URLs.
In WordPress, the injected script is typically found at the bottom of footer.php files of the active theme. It still comprises of an “eval(function(p,a,c,k,e,d)…” obfuscated script and Histats code with the same 4214393 ID (which is now found on 1564 sites).