Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors
Essential information
- Published
- 17/04/2026 10:35
- Modified
- 17/04/2026 10:47
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- command-and-control dynamic content injection joomla obfuscation php backdoor remote loader search engine manipulation seo spam
- Tags
- 2026-04-17 command and control dynamic content injection joomla obfuscation php backdoor remote loader search engine manipulation seo spam
- Related entities
- 4 indicators, 4 observables, 20 techniques (mitre), 3 others
Description
A compromised Joomla website displayed suspicious product links unrelated to the business. Investigation revealed heavily obfuscated PHP code injected at the top of index.php that contacted external command-and-control servers to receive instructions and manipulate content. The malware acts as a remote loader, assembling strings from two-character chunks to evade signature-based detection. It contacts primary C2 cdn.erpsaz.com and fallback cdn.saholerp.com, sending server fingerprint data and receiving dynamic instructions. Based on responses, it redirects visitors, injects spam content, or serves fake SEO pages to search engines. This approach allows attackers to control compromised sites remotely without modifying local files again, enabling dynamic spam injection, visitor redirection, and search engine manipulation while remaining undetected for extended periods.