A widespread automated exploit is actively defacing Joomla websites utilizing JoomShaper's legacy Helix3 framework. The attack leverages a critical flaw allowing unauthenticated remote parameter modification and file writing.
If your site displays a dark screen with a skull icon reading "Hacked by AntonKill", follow these steps to restore and secure your platform right away.
Step 1: Inspect Your Current Version
Log into your Joomla backend, navigate to System, click Manage, and select Plugins. Search for Helix3. If the core framework or its companion AJAX plugin is running a version lower than 3.1.2, your site is actively exposed.
Step 2: Clean Injected Scripts From the Database
Because the botnet injects code directly into your template database parameters, simply updating will not remove the defacement screen. Go to Site Template Styles, open your active Helix3 template, and click Template Options. Open the Custom Code section and completely erase any unrecognized scripts inside the Custom JavaScript, Custom CSS, and Before Head text boxes.
Step 3: Update Helix3 Plugins
Install the emergency patches issued by JoomShaper immediately. Update both the System - Helix3 Framework plugin and the Helix3 - Ajax plugin to version 3.1.2. If the update does not populate natively in your Joomla Update Manager, download the package from JoomShaper and install it manually.
Step 4: Perform a Local File Audit
The underlying vulnerability permits unauthorized directory traversal. Check your temporary directories (/tmp), media folders, and active template roots to ensure no secondary PHP backdoors or malicious JSON payloads were dropped by the automated scripts.

Comments