System - BLPayload after update to 3.3.12

[digifrac]

Updated to version 3.3.12 and the System - BLPayload exploit has still got past the security patch. I removed the last version a few days ago then updated to the new version of asteroid and it back.

[salahjaafar]

The fact that the exploit persists after upgrading to version 3.3.12 confirms that your environment is compromised beyond the plugin directory. The "astroid framework" payload returning after a clean install indicates a persistent reinjection script (backdoor) or an unpatched entry point in your server configuration.

1. Immediate Remediation Actions

1. Radical Removal: Uninstall the plugin via the backend, then manually delete the /plugins/system/blpayload/ directory via FTP/SSH. Also, clear any suspicious files in /tmp or /media.
2. Hardening the /administrator Directory: Implement HTTP Basic Authentication using .htaccess and .htpasswd. This blocks malicious script execution at the server level before it even reaches the application layer.

2. .htaccess Configuration (Inside /administrator/ folder)

Add the following block to the .htaccess file located inside your /administrator/ directory:

AuthType Basic
AuthName "Restricted Access - Administration"
AuthUserFile /home/your_user_path/.htpasswd
Require valid-user

[sonvnn]

@salahjaafar I want to clarify that the payload plugin is not included in the Astroid Framework. Installing Astroid does not mean you install the payload plugin. We do not provide any plugins named "payload" in our packages.

The presence of a payload plugin means your website has been hacked and infected with a backdoor. This originates from versions prior to Astroid 3.3.11 or even Astroid 2.

To resolve this issue, you need to handle it yourself by manually scanning your website for viruses. Astroid does not provide virus scans with updates, which may seem inconvenient, but it's truly impossible for an extension like Astroid. Malicious code files can exist on your website in many different forms and states that only professional antivirus software can detect.

If your hosting provider offers on-server virus scanning, please contact them to request assistance in cleaning your system.

Once more, I would like to reiterate that we do not provide malware and there is no plugin called Payload in the Astroid installation package. Please understand and avoid confusion here. If you find malware on your hosting, please check your entire system, delete it, change your password, and install security extensions. Thank you!

[sonvnn]

Updated to version 3.3.12 and the System - BLPayload exploit has still got past the security patch. I removed the last version a few days ago then updated to the new version of asteroid and it back.

Please help me uninstall them and go to ftp scan and remove them manually. If your hosting provide scaning virus service, please contact them for get support.

Thanks & Best regards,
Sonny

[Giorgi625]

if you do not want to restore backup from the date before getting hacked which is approximately end of the february or earlier you need to uninstall this plugin, delete all cache, check for unusual files in your file directory for more details check this topic #1421
I followed those steps I was recommended in this issue and there were not other files except plugin which I did uninstall. but for more safety I still did restore earlier backup and then updated to latest versions and changed passwords.

[digifrac]

Steps taken on first detection 3.3.11 2 4 days ago

#1421

Joomla Exploit Remediation Report BLPayload & JCachePro

Attack Vector

• Vulnerability: CVE-2026-21628 (CVSS 10.0 Critical) Authentication bypass in Astroid Framework
• Patched in: Astroid Framework v3.3.11 (5 March 2026)
• Method: Attacker uploaded a PHP dropper disguised as an SVG image via the Astroid AJAX endpoint, which
  installed two malicious system plugins

Malicious Plugins Identified

1. System - BLPayload (plugins/system/blpayload/)
2. System - JCachePro (plugins/system/jcachepro/) companion plugin

Removal Steps Carried Out

1. Plugin & File Removal

• Disabled and uninstalled System - BLPayload plugin
• Disabled and uninstalled System - JCachePro plugin
• Manually deleted plugins/system/blpayload/ directory
• Manually deleted plugins/system/jcachepro/ directory
• Searched for and removed dropper files in /images/ directory (filenames like blp_.php, blr_.php,
  astroid_poc_*.php)
• Deleted malicious cache files: plg_jcp_.html and plg_blpayload_ from /administrator/cache/
• Scanned entire filesystem for additional backdoors/webshells

2. Database Cleanup

• Removed BLPayload entry from #__extensions table
• Removed JCachePro entry from #__extensions table
• Checked #__update_sites for rogue update server entries
• Reviewed #__users for unauthorized admin accounts
• Checked for injected content in article/template tables

3. Access & Credentials

• Changed all Joomla administrator passwords
• Changed database user password and updated configuration.php
• Changed FTP/SFTP and hosting control panel passwords
• Regenerated Joomla $secret in configuration.php

4. Patching & Hardening

• Updated Astroid Framework to v3.3.11+ (critical closes the attack vector)
• Updated Joomla core to latest stable release
• Updated all remaining extensions
• Removed unused/unrecognised extensions
• Verified .htaccess and configuration.php were not tampered with
• Checked server cron jobs for unauthorized entries
• Cleared Joomla cache and /tmp/ directory

5. Post-Cleanup Verification

• Scanned site to confirm clean status
• Checked Google Search Console for security warnings
• Monitoring site logs for suspicious activity

[digifrac]

I'm asking did the security patch work or has another vulnerability been found in Asteroid you're not aware of yet as this is now 4 days after 3.3.12 and I did a pretty robust clean up on 5 sites which use the framework.

[sonvnn]

@digifrac I hereby affirm that all issues related to hijacking access and creating malicious files via AJAX requests, as mentioned in CVE-2026-21628, have been completely resolved since version 3.3.11. If you have updated to version 3.3.11 or later, you can fully trust this.

[salahjaafar]

@digifrac I hereby affirm that all issues related to hijacking access and creating malicious files via AJAX requests, as mentioned in CVE-2026-21628, have been completely resolved since version 3.3.11. If you have updated to version 3.3.11 or later, you can fully trust this.

Thanks @sonvnn for all your efforts