eCommerce Sites Targeted in Active Campaign via Magento 2 Exploit

An ongoing campaign is targeting ecommerce sites with digital skimmers via a critical CVE.


On August 9, 2023, Akamai researchers reported a campaign they dubbed “Xurum,” which leverages the “patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.”

Technical Details

Key takeaways from the Akamai report include:

  • “We have observed activity in this campaign since at least January 2023. The attacker seems to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days.
  • The attacker registers a new Magento component and masks it as “GoogleShoppingAds.”
  • The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.
  • The web shell login page masquerades as an error page containing a hidden login form that attempts to glean victim credentials.
  • The attacker creates a backdoor admin user in Magento, named “mageplaza” or “mageworx,” as another deception trick as those are the names of the popular Magento extensions stores.
  • The attacker uses the older Dirty COW exploit (CVE-2016-5195) to attempt privilege escalation within Linux.
  • Evidence indicates Russian origins for this threat.
  • Some of the websites involved in this campaign were observed to be infected with simple JavaScript-based skimmers with no attempt to obfuscate or hide its existence.”





Attacking IP


Attacking IP


Attacking IP


Attacking IP


Malware hosting domain


File name


Magento user


Magento user


Email address


Email address

More Recent Blog Posts