Cybercriminals are targeting WooCommerce users in a widespread scam that disguises malware as a critical security update.

The phishing campaign lures WordPress site administrators into downloading what appears to be an urgent patch. In reality, it’s a cleverly disguised backdoor, giving attackers unauthorized access to infected websites.

The operation specifically exploits the trust WooCommerce users place in official-looking alerts, aiming to compromise large numbers of e-commerce platforms.

More specifically, the attackers falsely claim that the victim’s website is vulnerable to a critical “Unauthenticated Administrative Access” flaw—a vulnerability that doesn’t actually exist.

To sell the deception, the attackers direct users to a spoofed site crafted to look like the official WooCommerce page. They achieve this through an IDN homograph attack, using visually similar characters in the domain name to trick users into trusting the malicious link.

The phishing operation was uncovered by security analysts at Patchstack. They say the tactics mirror a previous campaign they tracked in December 2023, where fake warnings about a fabricated Remote Code Execution flaw — CVE-2023-45124 — tricked WordPress users into installing malicious files masquerading as official updates.

“Once you click on the Download Patch button in the email, you are directed to a fake WooCommerce Marketplace page” reads the Patchstack’s report. “This page is served through, at least, the malicious domain name woocommėrce[.]com (Note the ė in this domain, making it very similar to the official WooCommerce domain).”

Once victims downloaded the fake patch, they received a zip file named authbypass-update-31297-id.zip that installed just like any standard WordPress plugin.

After activation, the plugin silently tapped into legitimate WordPress hooks to conceal its behavior. Almost instantly, it set up a covert WP Cron job running every minute, designed to create a hidden admin account and transmit the login credentials to a server under the attacker’s control.

But the breach didn’t stop there. The plugin then contacted a second command-and-control server to fetch and deploy multiple heavily obfuscated PHP web shells — tools like p0wny, and WSO, into the website’s uploads directory. These gave attackers complete access to the server, enabling a range of malicious activities from ad injection and visitor redirection to credit card theft, DDoS attacks, and even ransomware deployment.

To avoid discovery, the plugin erased its tracks, hiding both itself and the unauthorized admin account.

“As this phishing campaign is discovered and the community is made aware, it is likely for some or all of these indicators to change. New versions of this campaign are likely to appear as domains get flagged by hosts, registrars and security services.” the report notes.