Advanced Evasion: How Magecart Weaponizes Stripe and GTM as C2 Infrastructure

A sophisticated new Magecart campaign has emerged, demonstrating a high level of operational maturity by weaponizing legitimate cloud services to bypass traditional security perimeters. Rather than relying on suspicious, newly registered domains, attackers are leveraging Google Tag Manager (GTM) for delivery and Stripe’s API as both a Command and Control (C2) server and a data exfiltration sink.

By utilizing googletagmanager.com and api.stripe.com, the attackers exploit the inherent trust e-commerce platforms place in these domains. Most Content Security Policies (CSP) and network filters allow these endpoints by default, effectively creating a blind spot for even well-configured security stacks.

The Three-Stage Attack Lifecycle

The attack chain is architected in three distinct, highly modular stages designed to minimize the footprint on the victim’s site and maximize the longevity of the infection.

1. Payload Delivery via GTM

The infection begins with the injection of a malicious GTM container (such as GTM-P6KZMF63) as a custom tag on the victim’s website. This container does not host the skimmer itself; instead, it acts as a lightweight loader. When the loader detects a URL containing “checkout,” it initiates a fetch request to a specific Stripe customer record managed by the attacker.

The skimmer payload is not stored as a single file, but is instead fragmented across various Stripe customer metadata fields. The loader reconstructs these chunks and executes the assembled JavaScript using the new Function() constructor. This decoupling is critical: it allows the attacker to update the malicious payload in real-time via the Stripe Dashboard without ever needing to re-infect the victim’s website.

2. Silent Data Harvesting

Once executed, the skimmer attaches itself to the checkout DOM, with Sansec researchers observing selectors specifically tuned for Magento and Adobe Commerce markup. The script remains dormant until a “checkout” button click event is detected.

Upon trigger, the skimmer scrapes highly sensitive information, including:

• Credit card numbers and CVV codes
• Expiration dates
• Comprehensive billing and order metadata

To evade runtime monitoring, the skimmer does not immediately perform a network request. Instead, it XOR-encodes the stolen data with a fixed key, appends a specific marker, and writes the encrypted blob to the browser’s localStorage. This local staging prevents immediate detection by network-level behavioral analysis.

3. Stealthy Exfiltration via Stripe API

The final stage is handled by the GTM loader. At intervals (one second after page load and subsequently every 60 seconds), the loader reads the localStorage blob, deconstructs it, and transmits the stolen fragments via POST requests. These fragments are injected as metadata fields into a newly created Stripe customer record within the attacker’s account.

A major forensic indicator in this campaign is the presence of a hardcoded Stripe secret key (prefixed with sk_test_) within the client-side loader. Under no legitimate circumstances should secret keys be exposed in front-end code, making this a “smoking gun” for compromise.

Through this method, every stolen credit card is transformed into a searchable “customer” entry in the attacker’s Stripe dashboard, providing a persistent and organized database of stolen credentials hidden behind a trusted domain.

Variants and Infrastructure Evolution

Evidence suggests the campaign has been active since at least late 2025. Variations of this attack have also been observed utilizing Google Firestore. In these instances, the loader reads payloads and writes stolen data to Firestore documents using paths designed to mimic legitimate bot-protection or analytics traffic.

Defense and Mitigation Strategies

Because this attack utilizes authorized, well-formed requests to legitimate cloud APIs, traditional domain blocklists are ineffective. Defensive strategies must shift toward behavioral integrity and strict credential management.

Immediate Technical Actions:

• Secret Key Auditing: Treat any instance of sk_test_ or sk_live_ appearing in client-side JavaScript as an immediate, high-priority compromise.
• GTM Integrity Checks: Regularly audit all GTM containers and third-party tags. Ensure that tag editing permissions are restricted to a minimal number of trusted personnel.
• CSP Hardening: While you may need to allow api.stripe.com, implement strict connect-src directives and monitor for unusual patterns in API usage.
• Endpoint Monitoring: Look for unauthorized usage of firestore.googleapis.com or unexpected metadata updates via Stripe.

Recommended Tooling:

For e-commerce operators, automated detection is vital. Sansec recommends deploying Sansec Shield to proactively block exploitation attempts and utilizing eComscan to identify injected skimmers, backdoors, and unauthorized modifications to the core commerce engine.

In the event of a suspected breach, operators should immediately rotate all Stripe API credentials, remove unauthorized GTM tags, and conduct a comprehensive audit of all front-end code for direct calls to cloud service endpoints.