{ "Event": { "analysis": "1", "date": "2026-04-16", "extends_uuid": "", "info": "[Threat Intel] Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors", "protected": false, "publish_timestamp": "1776767199", "published": true, "threat_level_id": "3", "timestamp": "1776767199", "uuid": "8fd2e1cc-5937-4f0f-bd56-d7ced0a30af9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#956c9e", "local": false, "name": "misp-galaxy:producer=\"Sucuri\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#fb3bcd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#bf6f24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Resolution - T1568\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#bac7a9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Properties - T1590.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776423611", "to_ids": false, "type": "link", "uuid": "120ff56a-554e-4adf-86a1-738a6f0034b9", "value": "https://blog.sucuri.net/2026/04/joomla-seo-spam-injector-obfuscated-php-backdoor-hijacking-site-visitors.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776423611", "to_ids": false, "type": "text", "uuid": "591a6596-34ec-4491-952e-0d38d5a7a4f2", "value": "A compromised Joomla website displayed suspicious product links unrelated to the business. Investigation revealed heavily obfuscated PHP code injected at the top of index.php that contacted external command-and-control servers to receive instructions and manipulate content. The malware acts as a remote loader, assembling strings from two-character chunks to evade signature-based detection. It contacts primary C2 cdn.erpsaz.com and fallback cdn.saholerp.com, sending server fingerprint data and receiving dynamic instructions. Based on responses, it redirects visitors, injects spam content, or serves fake SEO pages to search engines. This approach allows attackers to control compromised sites remotely without modifying local files again, enabling dynamic spam injection, visitor redirection, and search engine manipulation while remaining undetected for extended periods." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776423611", "to_ids": false, "type": "text", "uuid": "787b081e-68bb-4997-a234-495ff5811cb5", "value": "Name: Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors\nAuthor: AlienVault\nAdversary: \nTags: [\"obfuscation\", \"php backdoor\", \"dynamic content injection\", \"remote loader\", \"joomla\", \"search engine manipulation\", \"command-and-control\", \"seo spam\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1132.001\", \"T1592\", \"T1036.005\", \"T1140\", \"T1608.001\", \"T1190\", \"T1583.001\", \"T1505.003\", \"T1087\", \"T1568\", \"T1102\", \"T1204\", \"T1571\", \"T1027\", \"T1573\", \"T1203\", \"T1070.004\", \"T1027.002\", \"T1071.001\", \"T1590.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693848", "to_ids": true, "type": "url", "uuid": "2b2341ec-1329-4d43-b525-743f9cd888fd", "value": "http://cdn.erpsaz.com/admin.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693869", "to_ids": true, "type": "domain", "uuid": "6e48bd26-acf4-428e-9cfd-9a4361ffabec", "value": "lashowroom.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693890", "to_ids": true, "type": "hostname", "uuid": "c28cfe0a-5875-4d56-a76c-c2acd3446994", "value": "cdn.erpsaz.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693911", "to_ids": true, "type": "hostname", "uuid": "40ef3462-68e6-43b3-8fcf-306ef77845f9", "value": "cdn.saholerp.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }