Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors
ATT&CK techniques detected
T1071.001Web Protocols
32%
“in the infection three domains appear in this malware. two are active c2s. one is a dead decoy. - primary : cdn [. ] erpsaz [. ] com – primary c2 - fallback : cdn [. ] saholerp [. ] com – fallback c2, used automatically if the primary returns an empty response - doesn ’ t return …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Overview
During a recent malware cleanup investigation, we encountered a compromised Joomla website where the site owner reported a strange issue. Their website displayed a large number of suspicious product links that had nothing to do with their business. These products were not added by the website owner and did not exist in their catalog.
Visitors and search engines were seeing pages that promoted unrelated products, raising immediate concerns about spam injection or remote content manipulation.