Connect with us

Hi, what are you looking for?


Malware & Threats

Thousands of Hacked WordPress Sites Abused in Neutrino EK Attacks

Researchers at cloud security company Zscaler have spotted a campaign in which attackers are redirecting victims to malware-serving websites with the aid of thousands of hijacked WordPress sites.

Researchers at cloud security company Zscaler have spotted a campaign in which attackers are redirecting victims to malware-serving websites with the aid of thousands of hijacked WordPress sites.

According to Zscaler, cybercriminals have compromised more than 2,600 WordPress websites over the past month. The hackers planted malicious iframes on 4,200 distinct pages of websites running vulnerable versions of WordPress 4.2 and prior. These iframes redirect users to Neutrino exploit kit landing pages.

The Neutrino landing page is designed to exploit Flash Player vulnerabilities in order to push the CryptoWall 3.0 ransomware to the computers of Internet Explorer users. It’s worth noting that Neutrino started leveraging the Flash Player exploits leaked as a result of the Hacking Team breach shortly after the existence of the exploits came to light.

“WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware,” Zscaler said in a blog post. “This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.”

After the notorious Blackhole exploit kit disappeared following the arrest of its creator, the Angler exploit kit took its place. The developers of Angler have done a great job at integrating just-patched and even zero-day vulnerabilities into their creation. However, in the last few days, Zscaler researchers noticed a significant increase in the use of Neutrino. 

Brad Duncan, a Rackspace security researcher and handler at the SANS Institute’s Internet Storm Center, also reported seeing a lot more Neutrino traffic than before.

Duncan says it’s usually difficult to find a hacked website that triggers a Neutrino exploit kit infection chain, but that changed this week.

Advertisement. Scroll to continue reading.

“Our preliminary analysis indicates the actor behind a significant amount of Angler EK during recent months switched to Neutrino EK sometime this week. We don’t have enough data to know if this change is permanent,” the expert noted in a blog post.

The Neutrino EK attacks analyzed by Duncan were also designed to deliver CryptoWall 3.0 file-encrypting ransomware.

“If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic. However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this,” Duncan said.

Related Reading: WordPress 4.3 Billie Improves Password Security

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...