They inject backlinks, SEO spam to advertise payday loans, online pharmacy, casino and so on. Just imagine you can get 30k of links to your website at once. Google will rank that page very high.

One pharmacy shop that sells generics or unlicensed casino can make tens of thousands of dollars per day. So even one week is enough to make a lot of money.

They're adding backlinks to other sites. They're either making revenue from those sites, or (more likely) selling backlinks to unsavory products.

I had Gemini help me pull apart some encrypted malware packages I removed from a WordPress site recently and identify who it was linked to, and what it was doing.

It was quite instructive on how all the various pieces of code protected each other for persistence, including removing competing malware. From analysing the code it alerted me to the hidden backup in the database that is triggered by the WordPress cron, and would reinfect the site should any of the PHP code be removed.

There is apparently a dark web marketplace for access to persistently compromised websites. Generally they end up getting used to email or display a phishing attack. In the case I fixed they had sold access to someone to inject a fake Cloudflare security popup with instructions to run some code in Windows PowerShell.

Often they generate thousands of non-existent pages which get indexed by search engines and just redirect people to Aliexpress pages or other affiliate link sites.

I will never be this man again