A threat actor that has infected more than 20,000 WordPress sites by running the same trick for at least three years: distributing trojanized versions of premium WordPress themes and plugins. The operation counts tens of unofficial marketplaces, likely managed by the same actor, specifically set up to provide nulled (pirated) WordPress components. Small and medium-sized businesses account for a fifth of the victims. The attacker makes money from showing ads on compromised websites and serving exploit kits to website visitors.
Source: https://www.bleepingcomputer.com/news/security/over-20-000-wordpress-sites-run-trojanized-premium-themes/