WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

Magento RCE Vulnerability (CVE-2026-XXXX) Fuels Sophisticated WebRTC Payment Skimmer

For General Readers (Journalistic Brief)

Cybercriminals have launched a sophisticated attack targeting online stores built on Magento and Adobe Commerce platforms, exploiting a critical flaw to gain unauthorized control of web servers. Once inside, they deploy a stealthy "skimmer" designed to steal customer payment card details as they are entered.

This threat is particularly concerning due to the attackers' clever use of WebRTC, a technology typically used for real-time communication like video calls. They are repurposing it to secretly transmit stolen credit card numbers from compromised online stores directly to their own servers, bypassing many common security defenses that monitor traditional web traffic.

The initial weakness, codenamed "PolyShell" (CVE-2026-XXXX), allows attackers to upload malicious files to the server without needing any login credentials. This is a critical "Remote Code Execution" (RCE) vulnerability, meaning attackers can run their own commands on the server. Widespread exploitation of this flaw has been observed since mid-March 2026.

For shoppers, this means any online store using an unpatched version of Magento or Adobe Commerce could be at risk of having their payment information stolen, leading to fraudulent charges. For businesses, it's an urgent call to action to patch their systems and protect their customers' sensitive financial data from this advanced attack.

Technical Deep-Dive

1. Executive Summary

A critical vulnerability, identified as CVE-2026-XXXX (unassigned) and codenamed "PolyShell," has been discovered in Magento Open Source and Adobe Commerce. This flaw permits unauthenticated arbitrary file uploads, leading to Remote Code Execution (RCE). Widespread exploitation of PolyShell has been observed since March 19, 2026. The CVSS score for CVE-2026-XXXX is Unknown at the time of analysis. The severity is classified as Critical due to the RCE capability and the subsequent deployment of a sophisticated payment card skimmer. This skimmer uniquely leverages Web Real-Time Communication (WebRTC) DataChannels for both malicious payload delivery and sensitive payment card data exfiltration, effectively bypassing traditional security controls such as Content Security Policy (CSP).

2. Technical Vulnerability Analysis

CVE ID and Details: CVE-2026-XXXX (Unassigned at the time of reporting). Publication Date: Not publicly disclosed. Known Exploited Status: Yes, widespread exploitation observed since March 19, 2026. CVSS Metrics: Unknown.
Root Cause (Code-Level): The PolyShell vulnerability (CVE-2026-XXXX) stems from an insecure file upload implementation within the Magento/Adobe Commerce REST API. Specifically, the API endpoint responsible for handling file uploads does not adequately validate the type, content, or execution potential of uploaded files. This allows an attacker to upload arbitrary files, including executable scripts or files that can be interpreted as executable by the web server environment, bypassing intended file type restrictions. This weakness can be categorized under CWE-434: Unrestricted Upload of File with Dangerous Type.
- Code Pattern (Conceptual):
```
// Hypothetical vulnerable code snippet in Magento/Adobe Commerce REST API
public function uploadFile($fileData, $destinationPath) {
    // Missing validation: No check for file type, content, or execution potential
    // The 'move_uploaded_file' function directly uses the user-provided filename and temporary location.
    if (move_uploaded_file($fileData['tmp_name'], $destinationPath . '/' . $fileData['name'])) {
        // File uploaded successfully, potentially an executable script
        return true;
    }
    return false;
}
```
Affected Components:
- Magento Open Source: All versions prior to the patch for CVE-2026-XXXX.
- Adobe Commerce: All versions prior to the patch for CVE-2026-XXXX.
- Specific version ranges are not publicly disclosed beyond the beta patch release.
Attack Surface: The vulnerability is exposed via the Magento/Adobe Commerce REST API. Unauthenticated access to this API is the primary attack surface.

3. Exploitation Analysis (Red-Team Focus)

Red-Team Exploitation Steps:
1. Prerequisites: A target system running a vulnerable version of Magento Open Source or Adobe Commerce. Network accessibility to the Magento/Adobe Commerce REST API.
2. Access Requirements: Unauthenticated access to the Magento/Adobe Commerce REST API.
3. Exploitation Steps:
  a. Identify Vulnerable Endpoint: Reconnaissance to identify the specific REST API endpoint responsible for file uploads that lacks proper validation.
  b. Craft Malicious File Upload Request: Prepare a POST request to the vulnerable REST API endpoint. The request body will contain a file upload payload. The attacker uploads a file that is either an executable script (e.g., PHP, Python, Perl) or a file that can be disguised as a legitimate asset but contains malicious code. The filename might be crafted to bypass basic extension checks (e.g., shell.php.jpg, shell.php%00.png).
  c. Execute Upload: Send the crafted request to the target server.
  d. Locate Uploaded File: Determine the absolute path where the file was uploaded on the web server. This often requires knowledge of Magento's file structure or enumeration techniques.
  e. Remote Code Execution (RCE): Access the uploaded file via a direct URL (e.g., https://vulnerable-site.com/path/to/uploaded/shell.php) or trigger its execution through another mechanism. This grants the attacker an initial RCE shell on the web server, operating with the privileges of the web server user (e.g., www-data, apache).
  f. Deploy Skimmer Payload: From the RCE shell, download and execute the WebRTC skimmer payload. This payload is typically a JavaScript file. The attacker might use wget, curl, or other system utilities for this.
  g. Establish WebRTC Connection: The skimmer JavaScript initiates a WebRTC peer connection to a hardcoded C2 IP address (202.181.177[.]177) on UDP port 3479. This port is a standard STUN/TURN server port, often used for NAT traversal and signaling. The connection establishes a DTLS-encrypted DataChannel.
  h. Inject Malicious JavaScript: The skimmer payload, delivered via WebRTC DataChannel, is injected into the compromised e-commerce website's DOM. This is achieved by dynamically creating <script> elements or modifying existing JavaScript files loaded by the user's browser.
  i. Data Capture: The injected JavaScript monitors user input fields (e.g., credit card number, expiry date, CVV) on payment forms. It uses event listeners (e.g., input, change, submit) to intercept this sensitive information.
  j. Data Exfiltration: Captured payment card data is exfiltrated over the established WebRTC DataChannel to the C2 server (202.181.177[.]177).
4. Payload Delivery: The WebRTC skimmer JavaScript payload is delivered via WebRTC DataChannel.
5. Post-Exploitation: Persistent access via RCE, ongoing data exfiltration, potential lateral movement within the network if the compromised web server has access to other internal systems or credentials.
Public PoCs and Exploits: No specific CVE-2026-XXXX PoC links are publicly disclosed in the source article. However, general techniques for exploiting Magento REST API vulnerabilities and deploying web shells are widely documented. The WebRTC exfiltration method is a novel technique.
Exploitation Prerequisites:
- Target system running a vulnerable version of Magento Open Source or Adobe Commerce.
- Network accessibility to the Magento/Adobe Commerce REST API from the attacker's IP.
- Knowledge of the specific REST API endpoint susceptible to arbitrary file uploads.
- The web server environment must be configured to execute the uploaded script (e.g., PHP interpreter enabled for .php files).
- The target user's browser must support WebRTC and not have restrictive network policies preventing UDP traffic.
Automation Potential: High. The initial PolyShell exploitation can be automated through scripting to scan for vulnerable endpoints and perform file uploads. The WebRTC skimmer's operation is inherently automated once injected into the website and loaded by a user's browser. The entire attack chain, from initial scan to data exfiltration, is highly automatable.
Attacker Privilege Requirements: Unauthenticated (for the initial PolyShell exploit). Once RCE is achieved, the attacker operates with the privileges of the web server process (e.g., www-data, apache, nginx user).
Worst-Case Scenario:
- Confidentiality: Complete compromise of all payment card data processed by the affected e-commerce platform. This includes credit card numbers, expiry dates, CVV codes, and potentially PII associated with transactions. This data can be used for direct financial fraud or sold on the dark web.
- Integrity: Potential modification of website content or transaction data, though the primary focus appears to be data theft. An attacker could alter product prices or redirect transactions.
- Availability: Minimal direct impact on availability from the skimmer itself, but the initial RCE could be used for denial-of-service attacks or further system compromise. The widespread exploitation could lead to reputational damage and customer trust erosion, indirectly impacting availability through customer churn.

4. Vulnerability Detection (SOC/Defensive Focus)

How to Detect if Vulnerable:
- Check Magento/Adobe Commerce Version: Verify the installed version of Magento Open Source or Adobe Commerce. If it is prior to the patch for CVE-2026-XXXX (specifically, any version before 2.4.9-beta1 and its subsequent stable releases), the system is vulnerable.
- Configuration Artifacts: Examine web server configurations for any custom rules or lack thereof that might permit arbitrary file uploads to sensitive directories. Review Magento's API access logs for unusual file upload attempts, particularly those with suspicious filenames or content types.
- Proof-of-Concept Detection Tests (Safe):
  - REST API Endpoint Enumeration: Attempt to enumerate or interact with known Magento REST API endpoints related to file uploads. A successful upload of a benign file (e.g., a .txt file) to a non-executable location could indicate a misconfiguration, but a successful upload of a script to an accessible path is a strong indicator of vulnerability.
  - Network Traffic Analysis: Monitor outbound UDP traffic from web servers on ports commonly used for WebRTC (e.g., 3479, 50000-65535). While this is not definitive, it can highlight suspicious activity. Analyze DNS logs for queries to known malicious IPs or domains associated with the C2.
Indicators of Compromise (IOCs):
- File Hashes: Unknown at this time, as the skimmer is delivered dynamically via WebRTC DataChannel. The initial web shell uploaded via RCE would have a hash, but these are often custom-generated.
- Network Indicators:
  - C2 IP: 202.181.177[.]177 (UDP Port 3479).
  - Suspicious outbound UDP traffic on ports 3479, 50000-65535 originating from web servers.
  - DNS queries to domains associated with the C2 IP (if any).
- Process Behavior Patterns:
  - Web server processes (e.g., php-fpm, apache2, nginx) spawning unexpected child processes or making outbound network connections on non-standard ports or to unusual destinations.
  - JavaScript code injection into legitimate website assets, observable via browser developer tools or network traffic inspection.
  - Execution of wget, curl, or similar utilities by web server processes for downloading external payloads.
- Registry/Config Changes: Not directly applicable to the skimmer itself, but the initial RCE might lead to system configuration changes for persistence or further compromise.
- Log Signatures:
  - Magento/Adobe Commerce API access logs showing successful file uploads to unexpected locations or with suspicious filenames (e.g., *.php.jpg, shell.php).
  - Web server access logs showing requests to newly uploaded executable files (e.g., /path/to/uploaded/shell.php).
  - Firewall logs showing outbound UDP traffic to 202.181.177[.]177 on port 3479.
  - EDR alerts for suspicious JavaScript execution, network connections from web server processes, or file creation in unexpected directories.
  - Web server error logs indicating failed attempts to execute non-executable files or access non-existent paths.

SIEM Detection Queries:

// KQL Query for Microsoft Sentinel / Azure Log Analytics
// Detects outbound UDP traffic on port 3479 from web servers, a common WebRTC signaling port.
// This rule aims to identify potential C2 communication or payload delivery attempts.
// Assumes NetworkConnections table is populated with relevant data.

NetworkConnections
| where TimeGenerated > ago(24h)
| where Direction == "Outbound"
| where Protocol == "UDP"
| where RemotePort == 3479
| where LocalPort >= 1024 // Filter out common system ports if necessary
| where ComputerName has_any ("webserver", "ecommerce", "magento", "apache", "nginx", "php-fpm") // Filter for web server hostnames or processes
| project Timestamp, ComputerName, LocalIP, RemoteIP, RemotePort, ProcessName, AccountName, CommandLine, DomainName, Url
| summarize count() by ComputerName, LocalIP, RemoteIP, RemotePort, ProcessName, AccountName, CommandLine, DomainName, Url, bin(Timestamp, 1h)
| where count_ > 5 // Threshold for suspicious activity (e.g., more than 5 connections in an hour)
| project Timestamp, ComputerName, LocalIP, RemoteIP, RemotePort, ProcessName, AccountName, CommandLine, DomainName, Url, ActivityCount = count_
| order by Timestamp desc

# SPL Query for Splunk
# Detects outbound UDP traffic on port 3479 from web servers, a common WebRTC signaling port.
# This rule aims to identify potential C2 communication or payload delivery attempts.
# Assumes appropriate network connection logs are indexed.

index=* sourcetype=network_connections (Direction="Outbound") (Protocol="UDP") (RemotePort="3479") (LocalPort>=1024) (ComputerName=webserver* OR ComputerName=ecommerce* OR ComputerName=magento* OR ProcessName=apache* OR ProcessName=nginx* OR ProcessName=php-fpm*)
| stats count by ComputerName, LocalIP, RemoteIP, RemotePort, ProcessName, AccountName, CommandLine, DomainName, Url, bin(_time, 1h)
| where count > 5
| rename _time as Timestamp, count as ActivityCount
| table Timestamp, ComputerName, LocalIP, RemoteIP, RemotePort, ProcessName, AccountName, CommandLine, DomainName, Url, ActivityCount
| sort - Timestamp

Behavioral Indicators:
- Sudden increase in outbound UDP traffic from web servers on ports 3479 or ephemeral UDP ports, especially to unusual external IPs.
- Web server processes making outbound connections to known malicious IPs (202.181.177[.]177) or unusual IP ranges.
- Unusual JavaScript code appearing in website source code or network traffic, especially code that attempts to establish WebRTC connections or manipulate DOM elements related to payment forms.
- Web server logs showing successful file uploads to directories that should not host executable content, or uploads with suspicious filenames.
- Browser developer tools showing new, unexpected JavaScript files being loaded or executed, or modifications to existing scripts.
- Alerts from network intrusion detection systems (NIDS) or firewalls regarding suspicious UDP traffic patterns.

5. Mitigation & Remediation (Blue-Team Focus)

Official Patch Information:
- Vendor: Adobe
- Patch Name: Not explicitly named for CVE-2026-XXXX, but the vulnerability is addressed in Magento Open Source 2.4.9-beta1 and subsequent stable releases.
- Patch Availability Date: March 10, 2026 (for beta release). Stable release dates are not publicly disclosed.
- Version Numbers that Fix: Magento Open Source 2.4.9-beta1 and later stable versions.
Workarounds & Temporary Fixes:
- Disable REST API (if not essential): If the Magento REST API is not critically required for the e-commerce operation, consider disabling or restricting access to it, especially endpoints related to file uploads. This can be achieved by firewall rules or API gateway configurations.
- Web Application Firewall (WAF) Rules: Implement WAF rules to block requests that attempt to upload executable file types (e.g., .php, .exe, .sh) or files with suspicious double extensions (e.g., .php.jpg). Block requests to known vulnerable API endpoints. Use signature-based detection for known web shell patterns.
- Network Segmentation: Isolate Magento/Adobe Commerce servers from critical internal networks. Restrict outbound UDP traffic from web servers to only necessary ports and destinations. Implement egress filtering for UDP traffic.
- File Upload Validation (Server-Side): Implement strict server-side validation for all file uploads, ensuring only permitted file types are accepted and that uploaded files are stored in non-executable directories. This should include checking file magic bytes, not just extensions.
- Disable Unnecessary WebRTC Functionality: If WebRTC is not a required feature for the e-commerce site, block outbound UDP traffic on common WebRTC ports (e.g., 3479, 50000-65535) at the network perimeter.
- Content Security Policy (CSP) Hardening: While CSP does not directly block WebRTC UDP traffic, a robust CSP can limit the injection of malicious scripts that initiate WebRTC connections. Ensure script-src directives are restrictive.
Manual Remediation Steps (Non-Automated):
1. Identify Vulnerable Instances: Scan all Magento/Adobe Commerce installations to determine their version. Prioritize systems with public-facing REST API endpoints.
2. Backup: Perform a full backup of the affected Magento/Adobe Commerce installation, including files and database.
3. Apply Patch: Upgrade Magento Open Source or Adobe Commerce to version 2.4.9-beta1 or a later stable release that includes the fix for CVE-2026-XXXX. Follow Adobe's official upgrade documentation meticulously.
4. Review API Access: Audit all API credentials and access logs. Revoke any suspicious or unused API tokens. Implement rate limiting on API endpoints.
5. Scan for Compromise: Perform a thorough scan of the web server for any unauthorized files, scripts, or modifications.
  - Command to find potentially uploaded PHP shells (example):
```
# Search for common web shell patterns in PHP files within the Magento web root.
# This is an illustrative command and may need tuning based on the environment.
# Consider using YARA rules for more sophisticated pattern matching.
find /var/www/html/magento -type f -name "*.php" -exec grep -EHn "eval\(base64_decode\(|assert\(|system\(|passthru\(|shell_exec\(|exec\(" {} \; || echo "No obvious web shells found."
```
    (Note: This command is illustrative and may need adjustment based on the actual Magento installation path and the specific shell used. It looks for common indicators of web shells. It's crucial to understand the false positive potential.)
6. Remove Malicious Files: If any unauthorized files are found, isolate the affected server, remove the malicious files, and investigate the initial compromise vector. Rebuild the server from a known good backup if significant compromise is suspected.
7. Review Web Server Configuration: Ensure that directories intended for media uploads are not executable by the web server. Configure php.ini to disable dangerous functions like exec, system, passthru, shell_exec, popen, proc_open if not strictly required.
8. Monitor Network Traffic: Implement enhanced monitoring for outbound UDP traffic from web servers, specifically looking for connections to 202.181.177[.]177 on port 3479.
Risk Assessment During Remediation:
- Continued Data Theft: Until patches are applied and systems are verified clean, the risk of ongoing payment card data exfiltration remains high.
- Further Compromise: The RCE vulnerability could be leveraged for further system compromise, including lateral movement, ransomware deployment, or data destruction.
- Reputational Damage: If customer data is exfiltrated, the organization faces significant reputational damage, loss of customer trust, and potential regulatory fines (e.g., GDPR, CCPA).
- Operational Disruption: Remediation efforts, including patching and scanning, may require downtime or reduced service availability.

6. Supply-Chain & Environment-Specific Impact

CI/CD Impact: If vulnerable Magento instances are deployed via CI/CD pipelines, the vulnerability could be introduced into production environments. Build pipelines should incorporate checks for Magento version and known vulnerable components. Artifact repositories hosting Magento extensions should be scanned for known vulnerable dependencies. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) should be integrated into the pipeline.
Container/Kubernetes Impact: If Magento is deployed within Docker containers or Kubernetes, vulnerable images can propagate the risk. Container images must be built from secure base images and regularly scanned for vulnerabilities (e.g., using Trivy, Clair). Container isolation effectiveness is crucial; if a container is compromised, the impact is limited to the container unless container escape vulnerabilities exist. The WebRTC skimmer would operate within the container's network namespace, and its outbound UDP traffic would be subject to Kubernetes network policies.
Supply-Chain Implications: The PolyShell vulnerability itself is not a direct supply-chain attack vector in the traditional sense (e.g., compromising a third-party library). However, if an attacker gains RCE on a Magento instance, they could potentially use that foothold to compromise other systems or dependencies within the organization's infrastructure, thus indirectly impacting the supply chain. The WebRTC exfiltration method is a sophisticated evasion technique that could be adopted by various threat actors to make their operations harder to detect.

7. Advanced Technical Analysis

Exploitation Workflow (Detailed):
1. Reconnaissance: Attacker identifies target e-commerce sites running Magento/Adobe Commerce. This involves scanning for specific HTTP headers, analyzing HTML source for Magento identifiers, and probing known REST API endpoints.
2. Vulnerability Scanning: Automated tools or manual checks probe for the PolyShell vulnerability (CVE-2026-XXXX) via the REST API. This involves sending POST requests to suspected file upload endpoints with various file types and names.
3. Initial Access (RCE): Attacker crafts and sends a POST request to a vulnerable REST API endpoint. The Content-Type header might be set to multipart/form-data. The request body contains a file with a server-side executable extension (e.g., shell.php). The move_uploaded_file function, lacking validation, saves this file to a web-accessible directory (e.g., pub/media/catalog/product/).
4. Execution Trigger: Attacker accesses the uploaded script via its URL (e.g., https://target.com/pub/media/catalog/product/shell.php?cmd=id). The web server (e.g., Nginx, Apache) invokes the PHP interpreter to execute the script, granting the attacker an interactive RCE shell.
5. Payload Delivery (Skimmer): From the RCE shell, the attacker downloads the WebRTC skimmer JavaScript payload (e.g., skimmer.js) to the web server. This might be done using wget or curl to a URL provided by the attacker.
6. WebRTC Connection Establishment: The skimmer.js script, when loaded by a user's browser, initiates a WebRTC peer connection. This involves:
  - Signaling: The JavaScript might use a hardcoded IP (202.181.177[.]177) on UDP port 3479 for initial signaling or ICE negotiation. It could also use a separate WebSocket or HTTP endpoint for signaling.
  - ICE Candidates: The browser exchanges ICE candidates (IP addresses, ports, protocols) with the C2 server to find a common path.
  - DTLS Handshake: A DTLS handshake occurs over UDP to establish a secure DataChannel.
7. Payload Injection: The WebRTC DataChannel is used to deliver the core malicious JavaScript code that will be injected into the e-commerce site's pages. This code might be dynamically generated or fetched from the C2. The injection typically involves document.createElement('script') and setting its src or textContent.
8. DOM Manipulation & Data Capture: The injected JavaScript modifies the DOM, adding event listeners to payment forms. It targets input fields for credit card numbers, expiry dates, and CVVs. Event listeners like input, change, and submit are used to intercept data.
9. Data Exfiltration: Captured payment card information is serialized (e.g., JSON) and sent over the established WebRTC DataChannel to the C2 server (202.181.177[.]177). The DTLS encryption protects this data in transit.
10. Persistence (Optional): Attacker may establish further persistence mechanisms on the server via the RCE, such as creating new cron jobs, modifying system startup scripts, or installing rootkits.
Code-Level Weakness: The PolyShell vulnerability (CVE-2026-XXXX) is an Unrestricted Upload of File with Dangerous Type (CWE-434). The specific weakness lies in the lack of robust server-side validation for files uploaded via the REST API. Key missing checks include:
- File Extension Validation: The code does not enforce a whitelist of allowed file extensions. It directly uses the user-provided filename.
- MIME Type Verification: The Content-Type header is not validated against the actual file content.
- File Content Inspection: The actual content of the uploaded file is not inspected for malicious patterns or executable code.
- Directory Permissions: Uploaded files are placed in directories that are often web-accessible and executable by the web server.
The WebRTC component utilizes standard WebRTC APIs (RTCPeerConnection, RTCDataChannel). The evasion comes from the protocol (UDP/DTLS) and its operation outside the typical HTTP request/response cycle monitored by CSP. The use of UDP and DTLS makes it harder for traditional HTTP proxies and firewalls to inspect the traffic content.
Related CVEs & Chaining:
- CVE-2026-XXXX (PolyShell): The initial RCE vector.
- WebRTC DataChannel Abuse: This is a technique, not a CVE. However, similar techniques involving abusing legitimate protocols for C2 and exfiltration are common. For example, DNS over HTTPS (DoH) or DNS over TLS (DoT) can be abused for C2.
- Similar Vulnerabilities: Other vulnerabilities involving insecure file uploads in web applications (e.g., CVE-2013-0176 for WordPress, various PHP file upload vulns in CMS platforms) share the CWE-434 root cause. The novelty here is the subsequent abuse of WebRTC.
Bypass Techniques:
- CSP Bypass: The primary bypass is the use of WebRTC DataChannels. CSP rules (script-src, connect-src, default-src) are primarily designed to control HTTP/HTTPS traffic and resource loading. WebRTC uses UDP and DTLS, which are not directly governed by these HTTP-centric CSP directives. The encrypted nature of DTLS further obfuscates the traffic content from network inspection tools that rely on HTTP parsing.
- WAF Bypass (for PolyShell): Attackers can bypass WAFs by:
  - Obfuscating malicious payloads within seemingly legitimate file types (e.g., embedding PHP code within a JPEG using steganography or null bytes).
  - Using encoding techniques (e.g., base64, URL encoding) within the request parameters or body.
  - Exploiting specific WAF misconfigurations or blind spots in their rule sets.
  - Targeting API endpoints that are not adequately protected by the WAF or are less commonly monitored.
  - Using HTTP parameter pollution or other request smuggling techniques.
- EDR Bypass (for Skimmer): The skimmer is JavaScript, which is often executed within the browser context. EDR solutions might have limited visibility into browser-executed JavaScript unless specific browser monitoring agents or advanced endpoint telemetry are deployed. The use of DTLS encryption also hinders network-level inspection by EDRs and NIDS. The traffic appears as legitimate UDP traffic on a standard port.

8. Practical Lab Testing

Safe Testing Environment Requirements:
- Isolated Network: A completely air-gapped or heavily segmented network segment, isolated from production and sensitive internal systems. This network should be configured to prevent any outbound connections to the public internet unless strictly necessary for specific testing scenarios (e.g., simulating C2 communication to a controlled IP).
- Virtual Machines (VMs): Multiple VMs for simulating target web servers (e.g., Ubuntu with Nginx/Apache and PHP, running a vulnerable Magento version) and a C2/attacker machine. This allows for easy snapshotting and rollback.
- Docker Containers: Docker containers can be used to quickly spin up and tear down vulnerable Magento environments, facilitating rapid testing of exploits and detection mechanisms.
- Network Traffic Capture Tools: Wireshark, tcpdump, or dedicated network analysis tools configured to capture traffic on relevant interfaces.
- Web Server Logs: Configured to capture detailed access and error logs. Ensure log levels are set to DEBUG if possible for maximum detail.
- Browser Developer Tools: Essential for inspecting injected JavaScript, DOM manipulation, and network requests within the browser.
- WebRTC Signaling Server (Optional): For simulating the WebRTC connection setup if the C2 IP is not directly accessible or for testing different signaling mechanisms beyond direct IP connection.
- Log Aggregation Platform: A local SIEM or log aggregation tool (e.g., ELK stack, Graylog) to ingest and analyze logs from the test environment.
How to Safely Test:
1. Deploy Vulnerable Magento: Set up a VM or Docker container with a known vulnerable version of Magento Open Source. Ensure it's not connected to any production network. Configure web server logs and PHP error logs.
2. Simulate PolyShell Exploit:
  - On the attacker VM, craft a POST request to the Magento REST API endpoint known for file uploads. Use tools like curl or Burp Suite.
  - Upload a benign, non-executable file (e.g., test.txt) to verify the upload mechanism and its target directory.
  - Upload a simple PHP web shell (e.g., <?php echo system($_GET['cmd']); ?>) to a predictable path (e.g., pub/media/testshell.php).
  - Access the uploaded shell via a browser on the attacker VM (e.g., http://vulnerable-magento-vm/pub/media/testshell.php?cmd=ls -la). Verify command execution.
3. Simulate Skimmer Deployment:
  - From the RCE shell on the vulnerable VM, download a dummy JavaScript file (e.g., dummy_skimmer.js) to the web server. This file will contain code to initiate WebRTC.
  - Modify the dummy JavaScript to include code that attempts to establish a WebRTC connection to a controlled C2 IP (e.g., your attacker VM's IP 192.168.x.x) on UDP port 3479. Include basic ICE candidate exchange and a RTCDataChannel.send("TEST_DATA") call.
  - Inject this dummy JavaScript into a legitimate Magento page. This can be done by modifying a theme template file or by using the RCE to dynamically inject it into the output of a page.
4. Monitor Network Traffic: Use Wireshark on the attacker VM to capture UDP traffic on port 3479. Observe for incoming connections from the vulnerable Magento VM. Analyze the captured packets for DTLS handshake and data channel traffic.
5. Simulate Data Exfiltration: Modify the dummy JavaScript to send a test string (e.g., "TEST_DATA_FROM_MAGENTO") over the WebRTC DataChannel to the attacker VM. On the attacker VM, run a simple Python script listening on UDP port 3479 to receive and print the data.
6. Test Detection: Run SIEM queries against captured logs (web server logs, firewall logs, EDR logs) to see if they would have alerted on the simulated traffic patterns and events.
Test Metrics:
- Successful RCE: Verified by executing commands on the target VM and observing output.
- Successful File Upload: Confirmed by the presence of the uploaded file in the web server's file system and its accessibility via URL.
- Successful WebRTC Connection: Observed UDP traffic on port 3479 from the target to the C2 IP, and successful DTLS handshake.
- Successful Data Reception: Verified by receiving the test string on the attacker VM via the WebRTC DataChannel.
- Detection Rule Efficacy: Percentage of simulated attack steps that trigger the defined SIEM detection rules. False positive rates should also be assessed.
- Mitigation Effectiveness: Successful blocking of file uploads or WebRTC connections after applying patches or implementing firewall rules. Measure the reduction in successful exploitation attempts.

9. Geopolitical & Attribution Context

Is there evidence of state-sponsored involvement? No public evidence or reporting suggests state-sponsored involvement for this specific incident. The motivation appears to be financially driven, characteristic of organized cybercrime groups. The use of a novel technique like WebRTC for exfiltration is more indicative of advanced criminal operations seeking to evade detection.
Targeted Sectors: E-commerce platforms running Magento Open Source and Adobe Commerce. This could include businesses of various sizes globally that process online payments.
Attribution Confidence: Low. The widespread nature of the exploitation and the focus on financial gain suggest a broad cybercriminal operation rather than a highly targeted state-sponsored campaign. The specific C2 IP (202.181.177[.]177) may be associated with anonymization services or compromised infrastructure, making direct attribution difficult.
Campaign Context: Unknown if this is part of a larger, named APT campaign. The technique of using WebRTC for exfiltration is novel and could be adopted by various threat actors. The initial RCE vector (PolyShell) is a specific vulnerability, but the subsequent payload and exfiltration method are adaptable.
If unknown: Attribution currently unconfirmed. No publicly available information links this activity to specific nation-state actors or known APT groups.

10. References & Sources

Original Article Source: The Hacker News - "Advanced WebRTC Payment Skimmer Leverages PolyShell for Evasion and Data Exfiltration" (Published: March 26, 2026)
NVD/CVE Records: CVE-2026-XXXX (Unassigned at time of reporting)
Vendor Advisories: Adobe Security Bulletins (Not yet publicly disclosed for CVE-2026-XXXX