Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we started detecting new modifications of the scripts injected by this attack.
The general idea of the malware is the same, but the domain name and obfuscation has changed slightly.
For example, in the wp_post table they now inject this script:
Source: Scuri check