Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale Magecart-style web-skimming operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact online shoppers and organizations that are clients of major payment providers, with targeting noted against American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems.
Technical reporting tied the infrastructure to domains hosting highly obfuscated skimmer payloads (e.g., recorder.js, tab-gtm.js) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ wpadminbar). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around Stark Industries / PQ.Hosting, which has been described as rebranding to THE[.]Hosting under WorkTitans B.V., consistent with sanctions-evasion behavior; researchers emphasized that weak third-party script governance on payment pages remains a key enabling factor for this type of long-lived skimming operation.
Timeline
Jan 13, 2026
Silent Push publicly reports the long-running skimming campaign
Silent Push disclosed that the operation had been active since early 2022 and described its malicious domain network, skimmer behavior, and data theft methods affecting multiple major payment brands. The researchers also linked supporting infrastructure to Stark Industries/PQ.Hosting, which they said had rebranded to THE.Hosting under WorkTitans B.V.
Jan 1, 2022
Attackers deploy Stripe and WooCommerce skimmers with admin-evasion features
The campaign used highly obfuscated JavaScript on compromised WooCommerce and Stripe checkout flows, replacing legitimate payment forms with fake ones to capture card details before showing an error. The malware also used conditional activation, self-removal when the WordPress admin bar was detected, and anti-repeat logic to reduce detection.
Jan 1, 2022
Magecart-style web skimming campaign begins targeting e-commerce checkouts
A large-scale web skimming operation became active by January 2022, compromising online checkout pages to steal payment card and personal data from shoppers. The campaign targeted merchants, payment portals, and third-party payment processors tied to major card networks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Targeted Phishing and Web Skimming Attacks on Online Payment Systems
A series of sophisticated cyberattacks have targeted online payment systems and e-commerce users through phishing emails, malicious browser extensions, and large-scale web skimming operations. One campaign impersonated WordPress.com, sending convincing domain renewal emails that redirected victims to a fake payment portal designed to steal credit card details and 3-D Secure OTPs, with exfiltration occurring via Telegram. Another operation involved over 50 malicious scripts injected into checkout and account creation flows on e-commerce sites, using modular payloads tailored for specific payment processors like Stripe, PayPal, and Mollie, and leveraging fake domains to evade detection. In parallel, threat actors have deployed malicious browser extensions across Chrome, Edge, and Firefox, impacting millions of users by hijacking search queries, stealing data, and committing affiliate fraud. These extensions often remain dormant for extended periods before being weaponized through updates, further complicating detection. Collectively, these campaigns demonstrate a significant evolution in cybercriminal tactics, blending phishing, web skimming, and browser-based attacks to compromise sensitive financial and personal information at scale.
1 months ago
Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a **1x1-pixel SVG** embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG `onload` handler, decodes it with `atob()`, and runs it via `setTimeout`, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake **"Secure Checkout"** overlay that captures billing and payment details before validating card numbers with the **Luhn algorithm**. The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the **PolyShell** vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious `onload` code, check for the `_mgx_cv` localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to **`23.137.249.67`** hosted by IncogNet in the Netherlands.
3 weeks agoMass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
1 months ago