Is this m2cmds.php file an insecure third-party dev tool for Magento - or a malicious hacktool used by an attacker?

A payment card skimmer hidden within an existing PNG image on an infected WordPress website that uses MemberPress and collects payment data for private membership. A variant was also found stealing payment card information on an infected Magento website.

Attackers were running recon on a foreign company via trojan spyware connected to a C2 panel on a compromised web host server. Unfortunately they forgot to have their logs and screenshots automatically purged from their C2 panel, so I was able to stumble upon their mainly intact C2 panel. Let’s see what it reveals about their operation.

A PHP skimmer injected into a Magento 2 core file and used to steal login data from HTTP requests.

RansomWeb malware rewrites your file’s text to unreadable binary data and appends .xploiter to the file’s extension (e.g index.php.xploiter) - but you can use the malware against itself to revert back to your original files.