Jump to content

Help Detecting the Threat: JS/Spy.Banker.KJ trojan

Go to solution Solved by dahms,

Recommended Posts


We have been told by a customer that our site was not available for some devices when using ESET.
Apparently the site is infected with JS/Spy.Banker.KJ trojan.

Site address is : https://zespa.fr/

I have tried to make a copy of the whole site and run an scan on it using ESET scan feature but nothing is found except in the cache folder where all pages are cached (which makes sense then).

Other than that, no threat seems to be found but we still have the warning when accessing the site so the js must be hidden somewhere.
Can you guys help us locate the threat ?

Thanks a lot,


Link to comment
Share on other sites

Thanks for your quick answer.

I have access to the database through DBeaver but I don't know what to look for.
Would you have any suggestions ?

Also how can I be sure the malignant js is not located in the server files ?



Link to comment
Share on other sites

I have tried to find the js by making search (looking for "blob") in all the DB tables but found nothing.

Since it seems to be injected in the Google Tag Manager script I have also tried to look up every GTM tags but nothing there as well.

Please find as an attached file how the GTM script is implemented on the site.

I have double checked and this is the right script directly from the implementation guide provided by Google.

What would you recommend ?

Capture d’écran 2023-08-01 à 14.15.49.png

Capture d’écran 2023-08-01 à 14.15.59.png

Link to comment
Share on other sites

Thanks for your help guys.

I was already aware of Sucuri site check results as I have installed the plugin on the infected wordpress site.

I have looked into website cleaning and monitoring services such as sucuri.net but those are quite expensive and do not seem to work for one-time intervention. 

Any other lead I could follow in order to solve the issue myself ?
I have all the access required both for server and database files.

Thanks !

Link to comment
Share on other sites

  • Solution

Hi guys,

Thanks for your help, I have found the issue.

If that can help someone here is how :

It was indeed located inside the database, in the wordpress "options" table. It was the value of one of the element from divi builder. I don't know how it was injected there but I have removed it. 

In order to locate it, I downloaded the whole database as SQL file and I used a code editor to bulk search some special terms in the whole database (like "atob" or "blob").

Have a good day !


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...