Help TDS Evolution: From Simple Redirects to Full Malware-as-a-Service Platform

Published Date: August 25, 2025
Category: ShadowOpsIntel
Share:

Help TDS is a long-running Traffic Direction System (TDS) campaign that has evolved into a malware-as-a-service ecosystem. Since 2017, it has redirected visitors from compromised WordPress sites to tech support scams and other fraudulent monetization channels. Its operators now deploy the malicious woocommerce_inputs plugin, which is installed on over 10,000 websites worldwide, enabling credential theft, advanced evasion, and autonomous updates through centralized C2 infrastructure.

Severity Level: High

Infection Mechanism

  • Attackers log in using stolen WordPress admin credentials.
  • Within ~20 seconds they navigate to the plugin upload panel, install the woocommerce_inputs plugin, and activate it.
  • Plugin conceals itself, hides deactivation options, and sets persistence mechanisms.

Redirect Techniques

  • Browser lockers (full screen, prevent exits).
  • Fake CAPTCHA (mimicking Cloudflare).
  • Fake Microsoft Windows security alerts.

C2 Infrastructure

  • Telegram Channel: t[.]me/s/trafficredirect
  • Fallback: pinkfels[.]shop (update check, plugin delivery, geo-targeting).
  • Historical domains: roi777[.]com, roi-traffic[.]icu, distie[.]shop, 54.36.180[.]110.

Help TDS Operation Evolution

  • Early Stages (2017–2023): Basic PHP-based redirects (/help/?d{14} patterns) tied to affiliate networks like LosPollos.
  • Plugin Emergence (Late 2024): Introduction of woocommerce_inputs plugin to automate redirections and integrate tightly with Help TDS.
  • Plugin Evolution:
    • v1.4: Advanced filtering by geography (US, CA, JP), device type, and temporal evasion.
    • v1.5: Added WordPress user credential exfiltration (emails, usernames).
    • v1.7: Loosened filtering to redirect more traffic globally.
    • v2.0.0: Automatic plugin update system via C2 (pinkfels[.]shop).
    • v3.0.0: AI-generated experimental mega-plugin with redundant persistence, buggy in practice.

Recommendations

  1. Enforce MFA for all WordPress admin accounts.
  2. Regularly rotate and strengthen admin passwords; avoid reusing credentials across platforms.
  3. Regularly audit installed plugins; monitor for unauthorized or hidden plugins.
  4. Watch for suspicious cookies (redirect, partner_) and DB tables (ip_tracking).
  5. Restrict WordPress admin access to trusted IPs.
  6. Regularly scan for malicious PHP files, especially in /wp-content/plugins/.
  7. Train staff on recognizing fake Microsoft tech support scams (browser lockers, full-screen warnings).
  8. If woocommerce_inputs is detected:
    • Immediately disable the plugin and remove malicious files (woocommerce_inputs.php, woocommerce-load.php).
    • Check for persistence artifacts: database entries, scheduled tasks, cache files.
    • Reset all WordPress admin credentials and revoke unauthorized accounts.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/246c5cb88eb8e7930f51b9a964f92276db300375bedda34c441b904f9fc2a3fa/iocs

Source:

  • https://www.godaddy.com/resources/news/help-tds-malicious-plugins-redirect-tech-support-scams

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.