A new phishing campaign is targeting WooCommerce admins by sending fake security alerts. The emails trick users into downloading a “critical patch” that actually installs a dangerous WordPress backdoor, giving hackers full control over the website.
Security researchers at Patchstack discovered this ongoing campaign. They believe it is a continuation of a similar attack seen in late 2023, where WordPress users were targeted with fake updates for a made-up vulnerability.
Both campaigns share many similarities, including the same types of hidden web shells, identical ways of hiding the malware, and similar email styles.
How the Phishing Scam Works
The fake emails pretend to come from WooCommerce, using the email address help@security-woocommerce[.]com.
In the message, recipients are warned that hackers have targeted their site using a so-called “unauthenticated administrative access” vulnerability.
To “protect” their store, website admins are urged to immediately download a patch. The email even includes detailed step-by-step instructions to make the scam look more convincing.
Here’s a part of the phishing email:
“We are contacting you regarding a critical security vulnerability found in the WooCommerce platform on April 14, 2025.
Warning: Our latest security scan, carried out on April 21, 2025, has confirmed that this critical vulnerability directly impacts your website.
We strongly advise you to take urgent measures to secure your store and protect your data.”
The scammers use strong language to create a sense of urgency, hoping to push admins into acting without thinking carefully.
A Very Convincing Fake Website
When victims click the “Download Patch” button, they are taken to a fake WooCommerce website.
The fake site uses a domain name that looks almost identical to the real one: woocommėrce[.]com.
Notice the small difference — the scam website uses a Lithuanian “ė” character instead of a regular “e.”
This trick is called a homograph attack, and it is very easy to miss, especially for busy website admins.
What Happens After Infection
If the website admin downloads and installs the fake patch (named authbypass-update-31297-id.zip), a dangerous plugin is installed on their WordPress site.
This malicious plugin immediately creates a cronjob that runs every minute.
The cronjob tries to create a hidden admin account, giving attackers permanent access to the website.
The plugin also sends an HTTP request to woocommerce-services[.]com/wpapi, where it downloads more hidden malware.
This second-stage malware installs several web shells (hidden backdoors) inside the website’s wp-content/uploads/ folder.
Some of the web shells used are:
P.A.S.-Form
p0wny
WSO
These web shells give hackers full remote control over the site. Once inside, attackers can:
Inject ads onto the website
Redirect visitors to malicious sites
Use the server in DDoS (Distributed Denial-of-Service) attacks
Steal customers’ payment card data
Install ransomware to lock the website and demand a ransom
To stay hidden, the plugin removes itself from the list of active plugins. It also hides the secret admin account it created, making it harder for the site owner to notice the breach.
How to Protect Your Website
Patchstack advises WooCommerce and WordPress website owners to immediately check for signs of compromise.
Some warning signs include:
Admin accounts with random 8-character usernames
Unusual cronjobs running every minute
A suspicious folder named
authbypass-updateOutgoing network requests to:
woocommerce-services[.]com
woocommerce-api[.]com
woocommerce-help[.]com
If you see any of these indicators, it’s likely your website has been compromised.
However, Patchstack warns that hackers often change their methods once public reports expose them.
That means future phishing emails might look different, and malware could use different domains or file names.
Relying only on fixed detection rules is not enough — regular and thorough security audits are essential.
Tips to Stay Safe
Always double-check email addresses and website URLs before downloading anything.
Never install plugins or patches from emails. Always update through your official WordPress dashboard.
Use security plugins that scan for unusual admin accounts, web shells, and cronjobs.
Keep regular backups of your website in case you need to restore it after an attack.
Enable two-factor authentication (2FA) for your admin account to add an extra layer of protection.
Summary
The ongoing WooCommerce phishing attacks are a serious reminder that cybercriminals are becoming smarter.
They are using more convincing tricks, like homograph domains and professional-looking emails, to steal control of websites.
If you manage a WooCommerce or WordPress website, stay alert, verify all updates carefully, and make security a top priority.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Zero-Day SAP Vulnerability CVE-2025-31324 Under Active Attack, Patch Now!