Hacked by AntonKill - Helix3 defacement on a hacked Joomla siteHacked by AntonKill - this message has been appearing since early July 2026 on a wave of hacked Joomla sites, often alternating with Hacked by trenggalek6etar. This is not a targeted attack, but an automated botnet exploiting a newly discovered vulnerability in JoomShaper's Helix3 framework. The actual site usually remains unharmed - the attacker only places a full-screen defacement over it. Here you'll learn how to recognize it and how to remove it completely.

As of: 6 July 2026

The "Hacked by AntonKill" and "Hacked by trenggalek6etar" defacements are caused by several critical vulnerabilities in JoomShaper's Helix3 AJAX plugin. Through this, an attacker can write malicious code into the template options without logging in. In short: remove injected code from the template, update Helix3 (security fix from 3.1.1, currently 3.1.2) - both plugins - and check the site for further traces. Joomla 3, 4, 5 and 6 are affected.

Contents

What "Hacked by AntonKill" really is

Since 5 July 2026, a broad wave of attacks has been targeting Joomla sites. When affected users open their site, they only see a dark full-screen page with a skull and the text Hacked by AntonKill or Hacked by trenggalek6etar, depending on the variant. This is a pure defacement, i.e. digital vandalism: the attacker wants to cause visible damage, not steal data. Your content is usually still there; it is just covered up.

The attack runs fully automatically. A botnet scans the internet for Joomla sites with a vulnerable Helix3 framework and injects a piece of JavaScript when it finds one, without any login credentials. On the next page visit, this code renders the defacement in the visitor's browser. The malicious code does not end up in a file, but directly in the database, in the template options (field Custom JavaScript, sometimes also Custom CSS and Before </head>).

The cause: the Helix3 vulnerability

The Helix3 framework from JoomShaper is responsible, more specifically the associated AJAX plugin (plg_ajax_helix3). Several actions of this plugin can be called via Joomla's standard com_ajax interface without logging in. The vulnerabilities were reported by security researcher Phil Taylor (mySites.guru); a CVE number has been requested. In concrete terms, they allow, among other things:

  • unauthenticated writing of files into the template (action save, and via path traversal also outside it),
  • the deletion of arbitrary files (remove and remove_image), for example the protective .htaccess,
  • the overwriting of the template settings (import) - this is exactly what the current defacement wave is exploiting,
  • after login, privilege escalation up to code execution, because the image upload also accepted .php files.

Important: Helix3 is not Helix Ultimate. Only the older Helix3 is affected (system plus AJAX plugin). And it does not only affect old Joomla versions: according to the manufacturer, the plugin runs on Joomla 4, 5 and 6, and hacked Joomla 3.10 sites are also in circulation.

Am I affected?

Check the backend under System - Manage - Plugins for Helix3. If a version below 3.1.1 is shown, the installation is vulnerable. You can see whether malicious code has already been injected under Extensions - Templates - Styles - (your Helix3 style) - Custom Code: If there is foreign JavaScript there such as document.body.innerHTML = ... or a document.title with "hacked by", the site is compromised.

Complete solution: how to get rid of it

Follow the sequence: clean and secure first, then check. Create a backup of files and database before every step.

  1. Remove injected code. Under Templates - Styles - Custom Code, remove any foreign code from the Custom JavaScript, Custom CSS, and Before </head> fields and save. The cleaner approach is to restore the template options from a backup made before the attack; more on that below.
  2. Update Helix3. Check for updates under System - Update - Extensions and bring Helix3 up to the current version (security fix from 3.1.1, current 3.1.2). Update both plugins: System - Helix3 Framework and Helix3 - Ajax. If no update appears, download the package from your JoomShaper account and install it via Extensions - Install. Version 3.1.2 is also compatible with Joomla 3. A detailed step-by-step guide focused only on this vulnerability can be found at htprotect.org/helix3.
  3. Change passwords. All admin logins, the database, and FTP/SSH. Then check whether unauthorized super users were created under Users or existing accounts were renamed.
  4. Check the site for further traces. Because the vulnerability also allowed write and delete access, more than just the JavaScript may have been changed: unexpected files in the template folder, deleted .htaccess, other modified template styles. A malware scan of files and database will provide clarity.

Remove malicious code from the database

Helix3 stores all template options as JSON in the params column of the #__template_styles table, one row per style. That is exactly where the injected code sits. The cleanest approach is to restore only this single params value from a backup made before the attack, not the entire table. You can identify the active frontend style by client_id = 0 and home = 1. Back up the current value before overwriting it so the step remains reversible. If you are not comfortable with direct database changes, it is better to have the site professionally cleaned instead of swapping good JSON for bad JSON.

So it does not happen again

The real mistake was not the attack itself, but the time window: between the public patch on 29 June and the update being installed, there was enough time for botnets to strike. The most important protection is therefore straightforward: update security-relevant extensions promptly, not only at the next maintenance window. By the way, the public changelog referred to the vulnerability only as "Security Update", without a severity rating, so do not rely on changelogs alone.

HTProtect Server Shield - free Joomla component for securing .htaccess

Catch such vulnerabilities earlier: HTProtect Server Shield

The free HTProtect Server Shield, my Joomla security component (2.5 to 6), helps precisely against cases like the Helix3 wave. It warns you by email as soon as an installed extension becomes known as vulnerable, and in the background makes exploitation harder until the update is applied - exactly the window that botnets otherwise use.

It also creates a hardened .htaccess in just a few clicks (PHP protection in all critical directories, locked sensitive files, security headers, a small firewall against typical attack patterns) and includes a malware scanner for files and the database. Your own rules remain intact.

→ View and download HTProtect Server Shield for free

Never miss another security update!

Additional offers

Customers about us

„The conversion of our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and with impeccable results. Very good and friendly communication.“
– H. Bergmann

„Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars“
– Fernando V.

„I was unable to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out, everything was extremely affordable, fast, and good!“
– Klaus-Peter

„The site looks great – everything as before – and on PHP 7.2 – I am impressed - many heartfelt thanks!“
– Dr. Ingo Wuddel

„Since we run an online shop, it was very important to us that our site was quickly available again with full functionality for our customers. All work is carried out extremely quickly to our complete satisfaction.“ – Loewen Handels GmbH

„Very fast, reliable, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.“
– Heino B.

„The contact was exceptionally friendly, and some cosmetic additional work was taken care of on its own - as if it were completely natural. I am relieved and very grateful.“
– R. Mayer

„Great. In an absolute emergency, after 2 domains were blocked by Strato due to a hacker attack, both domains were initially temporarily back online the same day.“
– I. Radchenko

„Excellent service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏“
– Tien Sy Vuong

Website-Bereinigung.de Support Service Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm