Home > Security > Security News

WordPress Redirect Malware Exploits Google Tag Manager, Leading to Spam Domains

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
WordPress Google Redirect

A new wave of WordPress redirect malware has been detected, exploiting Google Tag Manager (GTM) scripts to inject malicious code and hijack website traffic. This sophisticated attack compromises WordPress databases, redirecting users to spam domains and damaging website credibility.  

The Attack Method  

Cybercriminals are injecting malicious GTM scripts directly into WordPress databases, bypassing traditional file-based malware scanners, according to the latest Sucuri report.

These scripts call remote JavaScript code hosted on Google Tag Manager’s domain, loading redirects to spam websites. 

Script redirecting the user to a domain spelletjes[.]nl, currently known to be associated with spam campaigns
Script redirecting the user to a domain spelletjes[.]nl, currently known to be associated with spam campaigns | Source: Sucuri

The malware leverages GTM’s trusted reputation to evade detection, embedding itself in database tables like wp_options and wp_posts.  

One campaign uncovered by cybersecurity experts involved a GTM container ID (GTM-PL2J2GLH) being used across over 200 WordPress sites. The scripts redirect visitors to spam domains such as spelletjes[.]nl, harming user experience and reputation. 

The attackers likely gained admin-level access through compromised credentials, adding the destructive scripts via the WordPress admin panel.  

Impact on WordPress Sites  

This Google Tag Manager exploit disrupts website functionality, leading to adverse SEO consequences and reduced visitor trust. 

Redirects from infected websites often result in malware warnings from browsers and security tools, potentially blacklisting the site. Businesses face significant operational and reputational risks alongside possible financial losses.  

Remediation Steps  

Website owners can mitigate this WordPress security threat using these remediation measures:

A similar attack occurred earlier this month, involving malicious code injections into WordPress themes that redirected users to other websites. Malicious Google Tag Manager scripts can also be employed to steal payment card data on Magento websites.

Add a Comment
Related
Argentina Police Hacker
Argentine Police Foil Multiple Hacking Attempts, Extortion Plot and Efforts to Steal Case Files
Login Page Hacker
Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages
Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords
Malware-as-a-Service Operation Leverages Public GitHub Repos to Host Emmenhtal Loader and Amadey 
Data Breach Exposes 100 British MI6 and SAS Officials and Thousands of Afghan Collaborators
AI-Powered Cloaking Services ‘Hoax Tech’ and ‘JS Click Cloaker,’ Most Used in Phishing Campaigns
Most Popular
Argentina Police Hacker
Argentine Police Foil Multiple Hacking Attempts, Extortion Plot and Efforts to Steal Case Files
Login Page Hacker
Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords
Malware-as-a-Service Operation Leverages Public GitHub Repos to Host Emmenhtal Loader and Amadey 
Data Breach Exposes 100 British MI6 and SAS Officials and Thousands of Afghan Collaborators
Argentine Police Foil Multiple Hacking Attempts, Extortion Plot and Efforts to Steal Case Files
Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords
Malware-as-a-Service Operation Leverages Public GitHub Repos to Host Emmenhtal Loader and Amadey 
Data Breach Exposes 100 British MI6 and SAS Officials and Thousands of Afghan Collaborators

Most Popular
Argentina Police Hacker
Argentine Police Foil Multiple Hacking Attempts, Extortion Plot and Efforts to Steal Case Files
Login Page Hacker
Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords
Malware-as-a-Service Operation Leverages Public GitHub Repos to Host Emmenhtal Loader and Amadey 
Data Breach Exposes 100 British MI6 and SAS Officials and Thousands of Afghan Collaborators
Argentine Police Foil Multiple Hacking Attempts, Extortion Plot and Efforts to Steal Case Files
Seed of Deceit: PoisonSeed Tricks Users Out of FIDO2, Redirects Microsoft, Google and Okta Logins to Phishing Pages
ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing
Signal App Clone ‘TeleMessage’ Vulnerability Exploit Could Expose Passwords
Malware-as-a-Service Operation Leverages Public GitHub Repos to Host Emmenhtal Loader and Amadey 
Data Breach Exposes 100 British MI6 and SAS Officials and Thousands of Afghan Collaborators

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: