According to The Hacker News , up to 9,000 websites have been compromised through a recently disclosed security vulnerability in the tagDiv Composer plugin on the WordPress platform. This vulnerability allows hackers to insert malicious code into the web application source code without authentication.

Sucuri security researchers say this is not the first time the Balada Injector group has targeted vulnerabilities in tagDiv themes. A large-scale malware infection occurred in the summer of 2017, when two popular WordPress themes, Newspaper and Newsmag, were actively exploited by hackers.

Balada Injector is a large-scale operation first detected by Doctor Web in December 2022, in which the group exploited multiple WordPress plugin vulnerabilities to deploy backdoors on compromised systems.

The main purpose of these activities is to redirect users who visit compromised websites to fake technical support pages, lottery winning pages, and scam announcements. More than 1 million websites have been affected by Balada Injector since 2017.

Major operations involved exploiting the CVE-2023-3169 vulnerability to inject malicious code and establish access to websites by installing backdoors, adding malicious plugins, and creating administrators to control the website.

Sucuri describes this as one of the more sophisticated attacks carried out by an automated program that mimics the installation of a plugin from a ZIP archive and activates it. The waves of attacks observed in late September 2023 used random code injection to download and launch malware from remote servers to install the wp-zexit plugin on targeted WordPress websites.