So far, researchers have seen 60,000 attempts to harvest sensitive information from victims. When patched last week, the bug affected at least 1 million websites. WordPress says that Duplicator has been downloaded more than 15 million times and is in active use for over one million sites. Nearly all of the attacks came from the same IP address: 77.7171115.52.52, owned by Varna Data Center EOOD. The attacks are issued via GET requests using the query strings action=duplicator_download and file=/../wp-config.php.
Source: https://threatpost.com/active-attacks-duplicator-wordpress-plugin/153138/