Keylogger Campaign Returns – Musato Technologies
loader image

We enable business and digital transformation decisions through the delivery of cutting-edge ICT solutions and products...

Get inspired…

Keylogger campaign returns, infecting 2,000 WordPress sites

Over 2,000 WordPress sites are infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive. – KeyloggerKeylogger

Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign that infected over 5,500 WordPress sites. Both incidents used a keylogger/cryptocurrency malware called Cloudflare solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, Cloudflare solutions.

Cloudflare solutions – Keylogger Campaign

Cloudflare solutions are in no way related to network management and security firm Cloudflare.

“While these new attacks do not yet appear to be as massive as the original Cloudflare solutions, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.

Since December, the Cloudflare solutions domain was taken down. But now threat actors behind the original campaign have registered new domains (, and to host the malicious scripts that are loaded onto WordPress sites.

Attackers use injection scrips on WordPress sites with weak or outdated security. “The script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file,” Sinegubko wrote.

Attackers target both the admin login page and the site’s public facing frontend.

HTLM is obfuscated to include JavaScript code, such as “googleanalytics.js”, that load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive crypto mining library from the previous version,” Sinegubko wrote.

According to source-code search engine PublicWWW, the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for, Sucuri reports. The bulk of infected domains are tied to, with over a thousand reported infections. Researchers said that many additional WordPress sites have become reinfected, now that new domains are active.

Sucuri is no stranger to this particular strain of malicious WordPress scripts. Researchers there have identified previous campaigns that used the domain, such as ones in December, November and April 2017. Contact Musato Technologies to learn more about our ICT services.

Gideon E. M
Author: Gideon E. M

Gideon Ebonde M. is the CEO and Chief Software Architect at Musato Technologies. He is experienced Software developer with a demonstrated history of working in the information technology and services industry. He has a strong engineering professional skilled in Mobile Application Development, Enterprise Software, AI, Robotics, IoT, Servers, Cloud and business application. He is an accomplished DevOps software engineer and a visionary computer scientist and engineer.

Leave a Reply