How the attack is delivered through Google sponsored results
Researchers at Guardio Labs uncovered a phishing campaign that places a malicious sponsored search result above the legitimate one when users query "managewp" on Google. The sponsored result points victims to a login page that is visually identical to the real ManageWP sign-in. The campaign leverages Google ads to lure users who rely on search results to find the ManageWP URL.
Adversary-in-the-middle (AitM) mechanics and real-time theft
Unlike static credential-capture pages, the threat actor implements an adversary-in-the-middle (AitM) proxy. Credentials typed into the fake page are relayed to a Telegram channel controlled by the attacker, and the actor uses those credentials immediately to log into the genuine ManageWP service. After the initial login, the victim is shown a fake prompt asking for the two-factor authentication (2FA) code; the attacker captures that code and uses it to complete access to the ManageWP account in real time.
What Guardio Labs found inside the attackers' infrastructure
Guardio Labs was able to infiltrate the attackers' command-and-control (C2) infrastructure and observed an interactive dropdown command system that drives an operator-driven phishing flow. The researchers characterized the platform as a private phishing framework rather than a commodity phishing kit. They also found embedded in the code a Russian-language agreement that disclaims responsibility for illegal activity, includes an educational/research use disclaimer, and explicitly prohibits public leaks of panel files or use against Russia-based systems.
Scale of potential exposure and confirmed victims
The campaign targets ManageWP, GoDaddy’s centralized remote administration platform for WordPress websites. ManageWP users include web developers, web agencies managing client sites, and enterprises. WordPress.org statistics cited by Guardio Labs show ManageWP’s plugin is active on more than 1 million websites. Given that "each ManageWP account typically hosts hundreds of sites," Guardio Labs emphasized the high value of any single account compromise. At the time of reporting, Guardio Labs confirmed 200 unique victims and began contacting those victims to alert them about the exposure.
What this means for web developers, web agencies managing client sites, and enterprises
- Web developers: A single compromised ManageWP login may provide an attacker with access to scores or hundreds of managed sites, because individual ManageWP accounts typically host many sites.
- Web agencies managing client sites: Agencies that rely on ManageWP as a central administration panel should be aware that attackers are using search-engine ads and an AitM proxy to capture both credentials and 2FA codes in real time.
- Enterprises: The presence of the ManageWP plugin on more than 1 million sites underlines the platform’s broad footprint; confirmed compromises (200 victims) show active exploitation of that footprint through a targeted phishing flow that steals session credentials and bypasses 2FA in real time.
Guardio Labs’ technical foothold inside the attackers’ C2 allowed the researchers to observe operator-driven controls and to recover victim data, which they used to notify affected accounts. The campaign’s use of sponsored search results, a live AitM proxy, a Telegram exfiltration channel, and a bespoke phishing framework suggests an adversary comfortable with operator-led, high-return targeting rather than one-off commodity phishing.
The immediate, observable facts are stark: a malicious ad placed above the legitimate ManageWP result, a page that proxies live logins, automated capture of 2FA codes, and at least 200 confirmed victims. With ManageWP accounts typically aggregating hundreds of sites and the platform’s plugin active on more than 1 million sites, the incidents reported by Guardio Labs represent a concentrated risk for any organization that centralizes site administration on ManageWP.
