Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale Magecart-style web-skimming operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact online shoppers and organizations that are clients of major payment providers, with targeting noted against American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems.
Technical reporting tied the infrastructure to domains hosting highly obfuscated skimmer payloads (e.g., recorder.js, tab-gtm.js) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ wpadminbar). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around Stark Industries / PQ.Hosting, which has been described as rebranding to THE[.]Hosting under WorkTitans B.V., consistent with sanctions-evasion behavior; researchers emphasized that weak third-party script governance on payment pages remains a key enabling factor for this type of long-lived skimming operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Silent Push publicly reports the long-running skimming campaign
Silent Push disclosed that the operation had been active since early 2022 and described its malicious domain network, skimmer behavior, and data theft methods affecting multiple major payment brands. The researchers also linked supporting infrastructure to Stark Industries/PQ.Hosting, which they said had rebranded to THE.Hosting under WorkTitans B.V.
Attackers deploy Stripe and WooCommerce skimmers with admin-evasion features
The campaign used highly obfuscated JavaScript on compromised WooCommerce and Stripe checkout flows, replacing legitimate payment forms with fake ones to capture card details before showing an error. The malware also used conditional activation, self-removal when the WordPress admin bar was detected, and anti-repeat logic to reduce detection.
Magecart-style web skimming campaign begins targeting e-commerce checkouts
A large-scale web skimming operation became active by January 2022, compromising online checkout pages to steal payment card and personal data from shoppers. The campaign targeted merchants, payment portals, and third-party payment processors tied to major card networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
"Magecart" Strikes Again: Long-Running Web Skimming Campaign Targets Global Payment Networks
securityonline.info
Open sourceMagecart network targeted Amex, Diners Club, MasterCard since 2022 | SC Media
scworld.com
Open sourceLong-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Magecart Campaign Hid Payment Skimmers in Google Tag Manager Containers
A long-running **Magecart** operation linked to the **ATMZOW** skimmer family abused **Google Tag Manager (GTM)** to inject credit-card theft code into compromised ecommerce checkout pages, according to Sucuri. The attackers hid malicious JavaScript inside GTM containers served through `googletagmanager.com`, exploiting the trust many sites place in that domain while using multi-stage obfuscation to steal payment data. Sucuri said the activity affected hundreds of sites, with one malicious container, `GTM-WJV6J6`, detected 178 times before removal, and tied the campaign to Magento-focused compromises dating back to the 2015 **Guruincsite** infections. Researchers said the operators rotated payload delivery through about 40 newly registered lookalike domains, used **Cloudflare** to shield infrastructure, and stored selected domains in browser local storage to complicate analysis and blocking. After Google removed malicious containers such as `GTM-WJ6S9J6` and `GTM-TVKQ79ZS`, the attackers quickly replaced them with new IDs including `GTM-NTV2JTB4` and `GTM-MX7L8F2M`, showing persistent reinfection efforts; in at least one case, the GTM-based skimmer ran alongside a separate WebSocket-based skimmer, indicating overlapping compromises and continued adaptation by the threat actor.
Jun 8, 2026
Targeted Phishing and Web Skimming Attacks on Online Payment Systems
A series of sophisticated cyberattacks have targeted online payment systems and e-commerce users through phishing emails, malicious browser extensions, and large-scale web skimming operations. One campaign impersonated WordPress.com, sending convincing domain renewal emails that redirected victims to a fake payment portal designed to steal credit card details and 3-D Secure OTPs, with exfiltration occurring via Telegram. Another operation involved over 50 malicious scripts injected into checkout and account creation flows on e-commerce sites, using modular payloads tailored for specific payment processors like Stripe, PayPal, and Mollie, and leveraging fake domains to evade detection. In parallel, threat actors have deployed malicious browser extensions across Chrome, Edge, and Firefox, impacting millions of users by hijacking search queries, stealing data, and committing affiliate fraud. These extensions often remain dormant for extended periods before being weaponized through updates, further complicating detection. Collectively, these campaigns demonstrate a significant evolution in cybercriminal tactics, blending phishing, web skimming, and browser-based attacks to compromise sensitive financial and personal information at scale.
Mar 21, 2026
Magecart Skimmer Abuses Google Tag Manager and Stripe API to Steal Card Data
Researchers at Sansec uncovered a Magecart campaign that uses trusted **Google Tag Manager** and **Stripe** infrastructure to steal payment data from e-commerce checkout pages. The skimmer is delivered through a malicious but legitimate-looking GTM container and activates on **Magento** and **Adobe Commerce** checkout flows, where it harvests card numbers, expiration dates, CVV codes, names, billing addresses, email addresses, and phone numbers. The malware retrieves additional JavaScript from Stripe customer metadata and executes it dynamically, helping the attack blend into normal traffic to trusted services. The stolen data is obfuscated with **XOR**, stored locally, and later exfiltrated by creating fake customer records in an attacker-controlled Stripe account, causing the theft to appear as ordinary traffic to `api.stripe.com` and potentially bypass content security policies and network filtering. Sansec also identified a variant that uses **Google Firestore** instead of Stripe, pulling payloads from a document named `tracking/captcha` in a project called `braintree-payment-app`. Researchers said the Stripe customer record used to host the skimmer was created on Dec. 24, 2025, indicating the campaign may have been active since at least then.
Jun 5, 2026