Security researchers at Sucuri have uncovered a malware campaign targeting WordPress websites. The Sign1 malware, known for its code injection techniques, has reportedly infected a staggering 39,000 sites.
Once the threat actors gain access, they use WordPress custom HTML widgets or, more commonly, install the legitimate Simple Custom CSS and JS plugin to inject the malicious JavaScript code.
Sucuri’s analysis of Sign1 shows that the malware uses time-based randomization to generate dynamic URLs that change every 10 minutes to evade blocks. The domains are registered shortly before they are used in attacks, so they’re not in any blocklists.
These URLs are used to fetch further malicious scripts that are run in a visitor’s browser.
Initially, the domains were hosted on Namecheap, but the attackers have now moved to HETZNER for hosting and Cloudflare for IP address obfuscation.
| Domain | Registration Date | PublicWWW Detections |
| js.abc-cdn[.]online | 2023-07-31 | 1873 sites |
| spf.js-min[.]site | 2023-09-07 | 581 sites |
| cdn.jsdevlvr[.]info | 2023-09-18 | 245 sites |
| cdn.wt-api[.]top | 2023-09-22 | 316 sites |
| load.365analytics[.]xyz | 2023-10-17 | 2790 sites |
| stat.counter247[.]live | 2023-10-18 | 1089 sites |
| js.opttracker[.]online | 2023-10-19 | 1485 + 3667 sites |
| l.js-assets[.]cloud | 2023-10-25 | 4445 sites |
| api.localadswidget[.]com | 2023-11-24 | 1229 sites |
| page.24supportkit[.]com | 2023-12-05 | 2163 sites |
| streaming.jsonmediapacks[.]com | 2023-12-29 | 1291 sites |
| js.schema-forms[.]org | 2024-01-18 | N/A |
| stylesheet.webstaticcdn[.]com | 2024-02-05 | N/A |
| assets.watchasync[.]com | 2024-02-22 | N/A |
| tags.stickloader[.]info | 2024-03-06 | N/A |
Initially, the domains were hosted on the Namecheap 162.0.228.112 server. Then attackers started using a server on the HETZNER network (5.75.230.95, 95.217.217.254, 128.140.70.175) and began using Cloudflare to hide the server location.
The script then redirects the visitor to scam sites, such as fake captchas, that try to trick you into enabling browser notifications. These notifications deliver unwanted advertisements directly to your operating system desktop.
Sucuri warns that Sign1 has evolved over the past six months, with infections spiking when a new version of the malware is released.
In the past six months, Sucuri’s scanners detected the malware on over 39,000 websites, while the latest attack wave, which has been underway since January 2024, has claimed 2,500 sites.
