AitM phishing kit hijacks ManageWP accounts via Google ads, 200+ victims confirmed

A phishing operation is buying Google sponsored results for the ‘managewp’ query to outrank GoDaddy’s legitimate login page for its WordPress fleet-management platform. Victims who click are funneled through an adversary-in-the-middle proxy that relays credentials and 2FA codes to the attacker in real time, defeating TOTP-based protections. Stolen credentials are exfiltrated to a Telegram channel while the operator simultaneously authenticates against the real ManageWP service.

Guardio Labs penetrated the C2 and found an interactive operator panel with a dropdown command system, suggesting a private framework rather than an off-the-shelf phishing kit. Embedded Russian-language terms-of-use forbid targeting Russian systems and disclaim liability under an ‘educational’ fig leaf — a familiar tell of CIS-region tooling. Researchers have confirmed 200 unique victims so far.

The blast radius is significant: ManageWP accounts typically administer hundreds of WordPress sites each, and the platform’s plugin is installed on more than a million sites. A single compromised operator account hands the attacker a ready-made conduit for mass WordPress takeover, malware injection, or supply-chain attacks against the downstream sites.