IT security professionals and privacy-conscious users should be aware of a new phishing campaign targeting **ManageWP**, a widely used platform for managing multiple WordPress sites from a single dashboard. The attack, discovered by researchers at **Guardio Labs**, utilizes malicious Google Ads to redirect users to a fake login page mimicking the legitimate **ManageWP** interface. ### Sophisticated AiTM Phishing The threat actors are employing an adversary-in-the-middle (AiTM) approach. This means the fake login page acts as a real-time proxy, intercepting credentials and 2FA codes between the victim and the real **ManageWP** service.  *Malicious Google Search result Source: Guardio Labs* Users who click on the malicious ad are presented with a login page virtually indistinguishable from the genuine **ManageWP** login. When users enter their credentials, this information is immediately relayed to a Telegram channel controlled by the attackers, who then use it to log into the platform in real-time. The attack doesn't stop at username and password theft. Victims are prompted to enter their 2FA code, which the attackers then use to gain complete access to the **ManageWP** account. ### Scale of the Attack According to **Guardio Labs**, a single compromised **ManageWP** account can provide access to hundreds of websites. The **ManageWP** plugin, which enables the platform to control registered sites, is active on over 1 million websites, according to WordPress.org stats. ### Inside the Attacker's Infrastructure **Guardio Labs** researchers infiltrated the attacker's command-and-control (C2) infrastructure, revealing a sophisticated, operator-driven phishing operation. The C2 panel features a dropdown command system enabling interactive control over the phishing process.  *C2 panel Source: Guardio Labs* Lead researcher Nati Tal noted that the phishing framework appears to be a private development rather than a commodity kit. Interestingly, the code contains a Russian-language agreement disclaiming responsibility for illegal activities and prohibiting the use of the panel against Russia-based systems. ### Mitigation and Victim Notification **Guardio Labs** has captured victim data and is actively notifying affected users. At the time of reporting, they have identified approximately 200 unique victims. [article image](https://www.bleepstatic.com/c/p/autonomous-validation2.jpg) ## 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)