ClickCease WordPress websites compromised in Balada injector campaign

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

WordPress websites compromised in Balad injector campaign

April 18, 2023 - TuxCare PR Team

A persistent effort that targets “all known and recently discovered theme and plugin vulnerabilities” has hacked an estimated one million WordPress websites according to Sucuri.

Researchers have called the campaign Balad Injector because it injects a Linux backdoor. Since 2017, this malware operation has been redirecting users to bogus tech help pages, false lottery wins, and push notification frauds.

According to Sucuri, the Balad Injector assaults occur in waves about once a month, with each wave utilizing a newly registered domain name to avoid blocking lists. The virus targets freshly reported vulnerabilities and builds unique attack routines around them.

Siteurl hacks, HTML injections, database injections, and arbitrary file injections are just a few of the attack vectors available to the Balad Injector. These techniques of attack have resulted in duplicate site infections, with following waves focusing on previously compromised sites. Sucuri cited a scenario in which a website was attacked 311 times with 11 different variants of Balad.

Once a site is compromised, the Balad scripts focus on exfiltrating sensitive information such as database credentials from wp-config.php files. Even if the site owner clears an infection and patches their add-ons, the threat actor maintains their access. The campaign also seeks backup archives and databases, access logs, debug info, and files that might contain sensitive information.

The Balad Injector plants multiple backdoors on compromised WordPress sites for redundancy, which act as hidden access points for the attackers. In 2020, Balada was dropping backdoors to 176 predefined paths, making the complete removal of the backdoor very challenging. Moreover, the names of the planted backdoors changed in each campaign wave to make detections and removals harder for website owners.

Sucuri notes that defending against Balad Injector attacks may differ from one case to another and that there is no one specific set of instructions admins can follow to keep the threat at bay, due to the wide variety of infection vectors. However, Sucuri’s general WordPress malware cleanup guides should be enough to block most of the attempts. Keeping all website software updated, using strong, unique passwords, implementing two-factor authentication, and adding file integrity systems should work well enough to protect sites from compromise.


The sources for this piece include an article in BleepingComputer.

WordPress websites compromised in Balada injector campaign
Article Name
WordPress websites compromised in Balada injector campaign
A campaign targeting "all known and recently discovered theme and plugin vulnerabilities" has hacked about one million WordPress websites.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter