Magecart Campaign Hid Payment Skimmers in Google Tag Manager Containers
A long-running Magecart operation linked to the ATMZOW skimmer family abused Google Tag Manager (GTM) to inject credit-card theft code into compromised ecommerce checkout pages, according to Sucuri. The attackers hid malicious JavaScript inside GTM containers served through googletagmanager.com, exploiting the trust many sites place in that domain while using multi-stage obfuscation to steal payment data. Sucuri said the activity affected hundreds of sites, with one malicious container, GTM-WJV6J6, detected 178 times before removal, and tied the campaign to Magento-focused compromises dating back to the 2015 Guruincsite infections.
Researchers said the operators rotated payload delivery through about 40 newly registered lookalike domains, used Cloudflare to shield infrastructure, and stored selected domains in browser local storage to complicate analysis and blocking. After Google removed malicious containers such as GTM-WJ6S9J6 and GTM-TVKQ79ZS, the attackers quickly replaced them with new IDs including GTM-NTV2JTB4 and GTM-MX7L8F2M, showing persistent reinfection efforts; in at least one case, the GTM-based skimmer ran alongside a separate WebSocket-based skimmer, indicating overlapping compromises and continued adaptation by the threat actor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Attackers replace removed GTM containers with new ones
Following the removals, the threat actors created replacement Google Tag Manager containers, including GTM-NTV2JTB4 and GTM-MX7L8F2M, to continue reinfecting sites. Sucuri also noted rapid replacement of removed containers and, in at least one case, overlap with a separate WebSocket-based skimmer.
Sucuri detects malicious GTM containers on 327 sites in 2023
Sucuri reported detecting known malicious Google Tag Manager containers on 327 websites during the first 11 months of 2023. One container, GTM-WJV6J6, was seen 178 times before it was removed.
Google removes malicious GTM containers used in the skimming campaign
After malicious Google Tag Manager containers were identified, Google removed them. The removed containers included examples such as GTM-WJ6S9J6 and GTM-TVKQ79ZS referenced in Sucuri's analysis.
Sucuri identifies ATMZOW campaign abusing Google Tag Manager
Sucuri documented an ecommerce malware campaign in which the ATMZOW threat actor hid credit card skimmers inside malicious Google Tag Manager containers on compromised checkout pages. The campaign used obfuscated multi-stage JavaScript, rotating newly registered domains, local storage, and Cloudflare to evade analysis and blocking.
Guruincsite Magento infections linked to ATMZOW begin
Sucuri linked the newer Google Tag Manager skimmer activity to the long-running ATMZOW skimmer family and said its history goes back to the 2015 Guruincsite campaign and the early Magecart era targeting Magento stores.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Magecart Skimmer Abuses Google Tag Manager and Stripe API to Steal Card Data
Researchers at Sansec uncovered a Magecart campaign that uses trusted **Google Tag Manager** and **Stripe** infrastructure to steal payment data from e-commerce checkout pages. The skimmer is delivered through a malicious but legitimate-looking GTM container and activates on **Magento** and **Adobe Commerce** checkout flows, where it harvests card numbers, expiration dates, CVV codes, names, billing addresses, email addresses, and phone numbers. The malware retrieves additional JavaScript from Stripe customer metadata and executes it dynamically, helping the attack blend into normal traffic to trusted services. The stolen data is obfuscated with **XOR**, stored locally, and later exfiltrated by creating fake customer records in an attacker-controlled Stripe account, causing the theft to appear as ordinary traffic to `api.stripe.com` and potentially bypass content security policies and network filtering. Sansec also identified a variant that uses **Google Firestore** instead of Stripe, pulling payloads from a document named `tracking/captcha` in a project called `braintree-payment-app`. Researchers said the Stripe customer record used to host the skimmer was created on Dec. 24, 2025, indicating the campaign may have been active since at least then.
Jun 5, 2026
Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a **1x1-pixel SVG** embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG `onload` handler, decodes it with `atob()`, and runs it via `setTimeout`, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake **"Secure Checkout"** overlay that captures billing and payment details before validating card numbers with the **Luhn algorithm**. The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the **PolyShell** vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious `onload` code, check for the `_mgx_cv` localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to **`23.137.249.67`** hosted by IncogNet in the Netherlands.
Apr 10, 2026
Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale **Magecart-style web-skimming** operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact **online shoppers** and organizations that are **clients of major payment providers**, with targeting noted against **American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay**; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems. Technical reporting tied the infrastructure to domains hosting **highly obfuscated skimmer payloads** (e.g., `recorder.js`, `tab-gtm.js`) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ `wpadminbar`). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around **Stark Industries / PQ.Hosting**, which has been described as rebranding to *THE[.]Hosting* under **WorkTitans B.V.**, consistent with sanctions-evasion behavior; researchers emphasized that weak **third-party script governance** on payment pages remains a key enabling factor for this type of long-lived skimming operation.
Mar 21, 2026