Hello JoomShaper team,
We detected a security incident on multiple Joomla websites using Helix3.
Affected Helix3 versions:
- alexinsure.gr: System - Helix3 Framework 2.5.8, shaper_helix3 template 2.5.8
- artion-ee.gr: System - Helix3 Framework 3.0.3, shaper_helix3 template 3.0.3
- agro-center.gr: Helix3 Framework 1.0 / shaper_helix3 template 2.5.8 in an additional installation
On 2026-07-06, the same remote IP address 191.101.208.74 sent POST requests to:
/index.php?option=com_ajax&plugin=helix3&format=json
Immediately after these POST requests, deface files named cox.json were created in paths such as:
/httpdocs/cox.json
/httpdocs/images/cox.json
/httpdocs/media/cox.json
/httpdocs/templates/cox.json
Malicious file content:
"hacked by trenggalek6etar"
Imunify360 detection:
SMW-BLKH-SA-CLOUDAV-txt.deface-22802-3
Examples:
- agro-center.gr: POST at 20:05:41, cox.json created at 20:05:41
- alexinsure.gr: POST at 20:06:23, cox.json created at 20:06:23
- artion-ee.gr: POST at 20:08:43, cox.json created at 20:08:43
We temporarily blocked public access to the Helix3 com_ajax endpoint at Apache level and removed the malicious files.
We noticed Helix3 3.1.1 was released as a security update. Can you please confirm if this incident matches the recent Helix3 vulnerability and advise the safest upgrade path from 2.5.8 / 3.0.3 / 1.0 to the latest fixed version?