Help TDS: How a Stealthy WordPress Malware Turned into a Global Scam Platform

A large-scale campaign compromising WordPress websites has been uncovered, tied to the evolution of the Help TDS system and the malicious plugin woocommerce_inputs. According to research from GoDaddy Security, between late 2024 and June 2025, the operators of Help TDS steadily enhanced both their infrastructure and the malware’s functionality, transforming it from a simple traffic redirection system into a fully-fledged platform for monetizing compromised sites.

Help TDS, a Traffic Direction System active since at least 2017, is designed to redirect visitors from infected sites to fraudulent “tech support” pages, where they are deceived into believing their systems are infected and coerced into paying for unnecessary “urgent fixes.” Beyond tech support scams, the system supports multiple monetization vectors, including phishing sites, cryptocurrency fraud, dating services, and lottery scams.

In recent months, the infrastructure of Help TDS has become tightly integrated with the malicious WordPress plugin woocommerce_inputs, which attackers deploy using stolen administrator credentials. Masquerading as a legitimate WooCommerce component — though absent from WordPress’s official repository — this plugin harvests user credentials, redirects search traffic to fake Microsoft Windows Security Alert pages, and dynamically updates its malicious payloads via Help TDS command-and-control servers.

GoDaddy’s research highlights a clear evolutionary trajectory of the plugin. Version 1.4 (late 2024) introduced geographic traffic filtering, stealth activation, and cookie manipulation to ensure redirection only for select visitors. Version 1.5 (May 2025) added credential theft, exfiltrating WordPress logins and emails to the C2 server pinkfels[.]shop. Version 1.7 expanded its scope, redirecting all new users from search engines rather than targeting specific regions. Version 2.0.0 (June 2025) implemented an autonomous update mechanism, allowing the plugin to fetch and replace itself daily from a C2 server without administrator involvement. Finally, Version 3.0.0 (July 2025) emerged as the most complex variant, capable of infecting sites running on any CMS, embedding redundant persistence mechanisms, and even eliminating rival malware — though it remains rare due to instability and frequent errors.

The Help TDS infrastructure is built on a distributed architecture, leveraging Telegram channels, dynamic domains, and C2 servers such as pinkfels[.]shop for fresh redirection URLs and update distribution. Researchers observed automated logic that caches campaign data, assigns unique identifiers, and manages cookies to avoid redirecting the same visitor twice.

GoDaddy estimates that over 10,000 WordPress websites worldwide have been infected during this campaign. Log analysis revealed attackers accessing admin dashboards with valid credentials, uploading and activating the plugin, and concealing their origins via proxy networks.

Experts warn that the compromise chain is self-sustaining: stolen credentials are used to install the plugin, which then harvests additional credentials and feeds them back into Help TDS, creating a vicious “closed-loop” cycle.

To mitigate the threat, GoDaddy advises:

• Mandatory multi-factor authentication for WordPress administrators.
• Regular audits of installed plugins and WordPress files.
• Monitoring for unauthorized database tables and scheduled tasks.
• Deployment of tools to detect malicious redirects and data exfiltration.
• Blocking connections to suspicious C2 nodes, including pinkfels[.]shop.

Ultimately, Help TDS has evolved into a full-fledged malware-as-a-service (MaaS) platform, combining redirections, data theft, autonomous updates, and dynamic infrastructure. The campaign remains active, and the number of infected websites continues to grow.