WordPress Keylogger Returns via New Domains that Affected More than 1000+ Websites

WordPress Keylogger Returns via New Domains that Affected More than 1000+ Websites

A WordPress keylogger that already spreading via Cloudflare.solutions has changed now and it returns via new domains that affected more than 1000 of WordPress websites.
In 2017 year This WordPress keylogger has been discovered in  Cloudflare[.]solutions and the domain was completely taken down but attackers now registered a new domains.

Three Malicious IPs:-
Securi has identified that this new attack is utilizing the following 3 servers:

185.209.23.219 (cdjs[.]online, or 3117488091, where you can still find the cloudflare[.]solutions version of the keylogger)
185.14.28.10 (or 3104709642, which still hosts the hxxp://185.14.28 .10/lib/jquery-3.2.1.min.js?v=3.2.11 crypto miners and the cloudflare[.]solutions version of the keylogger hxxp://185 .14 .28. 10/lib/kl.js)
107.181.161.159 (cdns[.]ws and msdns[.]online – which serves new versions of the cryptominers and keyloggers)

There are three new domains were identified  cdjs[.]online , cdns[.]ws, msdns[.]online and these 3 Malicious domains are responsible for injecting Keylogger into thousands of websites.

According to Sucuri,, 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites.

The keylogger will behave the same way in Newly infected website as previous campaigns that is displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting  the Cloudflare[.]solutions Scripts in function.php

How does this WordPress keylogger Works
Attackers are using many malicious scripts that injected into targeting WordPress websites Database directly and compromise it.