CRITICAL SECURITY ALERT: Astroid Framework Global Compromise Campaign

6 min read

Executive Summary

Updated Astroid version released 05/03/2026

Astroid Framework Version 3.3.11

SEVERITY: CRITICAL | ACTIVE ATTACK

A widespread, automated attack campaign is actively targeting all Joomla sites using the Astroid Framework (all versions affected, including latest releases). The attack installs persistent backdoors including the plg_system_blpayload spam injector and related payload files. This is a global incident with confirmed compromises in Switzerland, Germany, France, and internationally since March 1, 2026.

⚠️ IMMEDIATE ACTION REQUIRED: Take all Astroid-powered sites offline immediately until a security patch is released.

Attack Analysis

Primary Payload: plg_system_blpayload

This malicious system plugin acts as a SEO spam botnet agent:

  • Connects to api.hacklink.pw – a black-hat SEO backlink service
  • Injects spam links into your site's HTML before the </body> tag
  • Multiple injection modes: Hidden (off-screen), footer, content, sidebar, or mixed visibility
  • Self-enabling: Auto-activates with highest priority (ordering=9999) upon installation
  • Caching mechanism: Stores spam locally in /cache/plg_blpayload_[hash].html to evade detection

Secondary Payloads & Persistence

  • Fake extensions with random names (e.g., astroid_poc_fxeolugv – first seen Feb 24, 2026)
  • jcachepro variant – additional backdoor plugin discovered in some infections
  • Payload files dropped in /images/ directory with astroid_poc* naming pattern

Indicators of Compromise (IOCs)

Critical File Checks

Execute these commands via SSH immediately:

# Find primary backdoor plugin
find /path/to/joomla -name "*blpayload*" -type f

# Find fake astroid payload files
find /path/to/joomla/images/ -name "astroid_poc*" -type f

# Find jcachepro variant
find /path/to/joomla -name "*jcachepro*" -type d

# Search for hacklink references
grep -r "hacklink.pw" /path/to/joomla/

# Check for recently modified plugin files (last 7 days)
find /path/to/joomla/plugins/ -name "*.php" -mtime -7 -ls

Database Indicators

Query your #__extensions table for:

  • plg_system_blpayload (System plugin)
  • astroid_poc_[random] (Fake extensions)
  • Any extensions with creation dates of Feb 24, 2026 or March 1, 2026 that you did not install

Visual Verification

  • View page source → Search for hacklink.pw
  • Look for hidden <div> elements with position:absolute;left:-9999px (hidden spam links)

Emergency Response Protocol

PHASE 1: IMMEDIATE CONTAINMENT (Do This NOW)

The Joomla Security Strike Team has issued an urgent directive: Shut down all Astroid sites immediately.

Option A: .htaccess Emergency Block

# Add to .htaccess in Joomla root - blocks all access
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.*$ - [F,L]
</IfModule>

Option B: IP-Based Access Restriction

# Deny all except your IP
deny from all
allow from YOUR.IP.ADDRESS.HERE

Option C: PHP Maintenance Mode Create index.php in Joomla root:

<?php
header('HTTP/1.1 503 Service Unavailable');
header('Retry-After: 3600');
die('Emergency maintenance in progress. Please check back later.');
?>

PHASE 2: COMPROMISE ASSESSMENT

⚠️ WARNING: Manual cleaning is NOT RECOMMENDED. These backdoors have multiple persistence mechanisms and unknown entry vectors.

Check for Compromise:

  1. Files: Look for plg_system_blpayload in /plugins/system/
  2. Database: Look for suspicious entries in #__extensions with recent dates
  3. Images folder: Check for astroid_poc* files
  4. Frontend: View source and search for hacklink.pw

PHASE 3: RECOVERY (If Compromised)

You MUST restore from a clean backup dating BEFORE February 24, 2026 (the earliest known compromise date).

If no clean backup exists:

  • Complete rebuild required – assume full server compromise
  • Export content only (articles, menus, categories) – DO NOT export extensions/plugins
  • Fresh Joomla installation + fresh Astroid (post-patch)
  • Manually rebuild all template configurations – do not import compromised settings

Post-Recovery Security Hardening:

  1. Change ALL passwords (Joomla Super User, database, FTP, hosting panel)
  2. Enable Two-Factor Authentication on all admin accounts
  3. Audit user list for unauthorized administrator accounts
  4. Implement file integrity monitoring

PHASE 4: PREVENT REINFECTION

CRITICAL: There is NO PATCH AVAILABLE as of March 5, 2026. The vulnerability is unpatched and actively exploited.

Attack Timeline & Geographic Impact

DateEventSeverity
Feb 24, 2026First astroid_poc_fxeolugv extension spotted🔴 Critical
Mar 1, 2026Mass plg_system_blpayload installations begin globally🔴 Critical
Mar 3, 2026Swiss Joomla Forum reports 5+ compromised sites🔴 Critical
Mar 4, 2026Joomla Security Strike Team issues emergency shutdown alert🔴 Critical
Mar 5, 2026German forum confirms international attack wave🔴 Critical

Confirmed Affected Regions:

  • 🇨🇭 Switzerland (joomlaforum.ch)
  • 🇩🇪 Germany (joomla.de)
  • 🇫🇷 France (forum.joomla.fr)
  • 🌍 International (reports from multiple continents)

Technical Deep Dive: Attack Mechanism

The plg_system_blpayload Malware

Based on code analysis from the Swiss Joomla Forum, this sophisticated backdoor:

// Key malicious behaviors:
1. API callback to: http://api.hacklink.pw/api/get_backlinks?url=[YOUR_SITE]
2. Auto-enables via install.php database manipulation (enabled=1, ordering=9999)
3. Injects before </body> using onAfterRender() hook
4. Supports 5 placement modes: hidden (CSS off-screen), footer, content, sidebar, multi
5. Aggressiveness levels control link density (low=30%, medium=60%, high=100%)
6. Caches spam content for 1800 seconds to reduce API calls and evade detection

Why Standard Cleaning Fails

DO NOT attempt manual file deletion because:

  1. Database Persistence: Plugins are registered in #__extensions and auto-enable
  2. Multiple Variants: blpayload, jcachepro, and astroid_poc work together
  3. Unknown Entry Vector: The vulnerability allowing installation is still unidentified and unpatched
  4. Reinfection Risk: Sites cleaned without patching are re-compromised within hours
  5. Hidden Payloads: Files in /images/ directory often bypass security scanners

Action Checklist for Site Owners

  • [ ] IMMEDIATE: Take all Astroid sites offline via .htaccess/server block
  • [ ] Verify Backups: Identify last clean backup (pre-Feb 24, 2026)
  • [ ] Scan for IOCs: Check for blpayload, astroid_poc files
  • [ ] Database Audit: Query #__extensions for unauthorized entries
  • [ ] If Clean: Keep offline until patch released
  • [ ] If Compromised: Restore clean backup or complete rebuild
  • [ ] Credential Reset: Change all passwords post-recovery
  • [ ] Enable 2FA: Mandatory for all Super User accounts
  • [ ] File Monitoring: Implement integrity monitoring post-recovery
  • [ ] Monitor Channels: Watch Astroid GitHub/website for security updates

🔗 References & Resources

  1. Swiss Joomla Forum (Technical details, IOCs, malware code analysis):
    https://joomlaforum.ch/joomla6-erweiterungen/39320-seltsame-plugins-allenfalls-gehackte-joomla-6-seite

  2. German Joomla Forum (Official Joomla Security Strike Team alert):
    https://forum.joomla.de/thread/23401-astroid-framework-angriffswelle/

  3. Astroid Framework Security Advisories (Awaiting official patch):
    https://github.com/templaza/astroid-framework/security

  4. Astroid Official Website:
    https://astroidframe.work/

  5. Joomla Security Documentation (General hardening guidance):
    https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced

  6. Sucuri Joomla Cleanup Guide:
    https://sucuri.net/guides/how-to-clean-joomla/

⚠️ FINAL WARNING: This is an active, unpatched, widespread attack campaign targeting a zero-day vulnerability in the Astroid Framework. Any site running Astroid Framework should be considered at immediate critical risk. The only safe approach is complete site shutdown until the TemPlaza development team identifies the entry vector and releases an emergency security patch.

Last Updated: March 5, 2026

Related post