Hackers Launched a Malware MLM Pyramid Scheme — and Turned 10,000 Sites into Self-Developing Hacking Machines
The Help TDS virus learned to update itself and steal data.
The Help TDS virus learned to update itself and steal data.
A large-scale campaign compromising WordPress sites has been discovered, linked to the evolution of the Help TDS system and the malicious plugin woocommerce_inputs. According to research by GoDaddy Security, from late 2024 to June 2025, the developers of Help TDS consistently improved their infrastructure and the malware's functionality, transforming it from a simple traffic redirection system into a full-fledged platform for monetizing hacked sites.
Help TDS is a Traffic Direction System that has been active since at least 2017. It is used to redirect users from infected resources to target technical support pages, where visitors are convinced of non-existent threats and pressured into paying for "urgent problem resolution." The system supports alternative monetization scenarios: redirects to phishing sites, cryptocurrency scams, dating services, and lottery pages.
In recent months, the Help TDS infrastructure has been closely integrated with the malicious WordPress plugin woocommerce_inputs, which attackers install using stolen administrator credentials. This plugin masquerades as a legitimate WooCommerce component but is not found in the official WordPress repository. With its help, the threat actors collect user credentials, redirect search traffic to fake Microsoft Windows Security Alert pages, and dynamically update the malicious code via Help TDS C2 servers.
According to GoDaddy data, the plugin has gone through several major evolutionary stages:
- Version 1.4 (late 2024) introduced geographic traffic filtering, hidden activation, and cookie management to stealthily redirect only the desired visitors.
- Version 1.5 (May 2025) added a function to steal WordPress credentials, including logins and email addresses, with subsequent exfiltration to the C2 server pinkfels[.]shop.
- Version 1.7 expanded the attack scope, beginning to redirect all new users from search engines, not just those from limited regions.
- Version 2.0.0 (June 2025) gained an autonomous update mechanism: the plugin daily requests new versions from the C2 server and replaces itself without administrator involvement.
- Version 3.0.0 (July 2025) became the most complex variant—it can infect sites running any CMS, uses redundant persistence mechanisms, and eliminates competing malware, but is rare due to instability and numerous bugs.
GoDaddy estimates that over 10,000 WordPress sites worldwide have been infected as a result of this campaign. Log analysis showed that the attackers log into the admin panel using valid credentials, upload the plugin, activate it, and use proxies to hide the origin of the attacks.
Experts warn that the vulnerability chain makes the attack self-sustaining: stolen passwords are used to install the plugin, which then collects new credentials and sends them to Help TDS, creating a "closed-loop" effect.
To protect against such attacks, GoDaddy recommends:
- Mandatory use of multi-factor authentication for administrators.
- Regular checks of installed plugins and audits of WordPress files.
- Monitoring for unauthorized database tables and scheduled tasks.
- Installing tools to analyze malicious redirects and data exfiltration.
- Controlling connections to suspicious C2 nodes, such as pinkfels[.]shop.
