Hackers are using stolen credentials to infect WordPress sites with bogus plugins that deliver malware and infostealers to end users via fake browser update prompts.
The malicious campaign, based on a new variant of the ClickFix fake browser update malware, has infected more than 6,000 sites with fake WordPress plugins since June 2024. Overall, ClickFix has now compromised more than 25,000 sites since August 2023, according to the GoDaddy security team.
No known vulnerabilities are being exploited to deliver the bogus plugins; the hackers simply seem to be using stolen credentials.
“Log analysis reveals that the installation of counterfeit WordPress plugins did not directly exploit any known vulnerabilities within the WordPress ecosystem,” the GoDaddy advisory said. “Instead, attackers possessed legitimate WordPress admin credentials for each compromised site.”
The plugins are “designed to appear harmless to website administrators,” but site visitors could be shown fake browser updates and other malicious prompts.
The plugins inject malicious JavaScript that contains “a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads,” known as EtherHiding. When executed in the browser, the JavaScript delivers fake browser update notifications that guide users to install malware on their machines, typically remote access trojans (RATs) or info stealers like Vidar Stealer and Lumma Stealer.
The fake plugins use generic names such as “Advanced User Manager” or “Quick Cache Cleaner,” and their directories contain only 3 small files: index.php, .DS_Store, and a -script.js file with a variation typically based on the name of the plugin.
Those naming schemes led to the discovery of other malicious plugins:
| Plugin name | Injected script |
| Admin Bar Customizer | admin-bar-customizer/abc-script.js |
| Advanced User Manager | advanced-user-manager/aum-script.js |
| Advanced Widget Manage | advanced-widget-manage/awm-script.js |
| Content Blocker | content-blocker/cb-script.js |
| Custom CSS Injector | custom-css-injector/cci-script.js |
| Custom Footer Generator | custom-footer-generator/cfg-script.js |
| Custom Login Styler | custom-login-styler/cls-script.js |
| Dynamic Sidebar Manager | dynamic-sidebar-manager/dsm-script.js |
| Easy Themes Manager | easy-themes-manager/script.js |
| Form Builder Pro | form-builder-pro/fbp-script.js |
| Quick Cache Cleaner | quick-cache-cleaner/qcc-script.js |
| Responsive Menu Builder | responsive-menu-builder/rmb-script.js |
| SEO Optimizer Pro | seo-optimizer-pro/sop-script.js |
| Simple Post Enhancer | simple-post-enhancer/spe-script.js |
| Social Media Integrator | social-media-integrator/smi-script.js |
“The underlying plugin code remains deliberately simplistic to avoid raising red flags,” the advisory said. A hook for the wp_enqueue_scripts action is manipulated to load a harmful script from the plugin directory into WordPress pages.
.DS_Store is short for Desktop Services Store, hidden files that the macOS Finder application creates to store folder preferences. The fake plugin .DS_Store files don’t contain any information but can be used as an indicator of compromise (IoC):
The script filenames contain identical content and can be identified by their hash:
The GoDaddy advisory notes that the presence of valid WordPress admin credentials suggests that the hackers used methods to obtain the credentials, such as brute-force attacks, phishing campaigns, or perhaps even malware or infostealer infections on the website admins’ computers.
The advisory didn’t say, but presumably multi-factor authentication would offer some protection against the stolen credentials being misused, along with other access controls such as device ID, health and location.
Hijacked Axios maintainer npm Account pushed malicious versions with a RAT, affecting macOS, Windows, and Linux systems across the JavaScript…
At this stage, there is no confirmation on whether data was stolen, but the possibility of exposure remains.
A violent extremist network member admitted guilt in child exploitation and cyberstalking, revealing risks posed by groups like 764 online.
What stands out in the Intesa Sanpaolo data breach is not just the unauthorized access, but how long it went…
The Cyber Security Council reports UAE sees 500,000–700,000 daily AI-fueled cyberattacks targeting strategic sectors and critical infrastructure.
Dr. Priyanka Sunder on GRC, cloud security, and what it takes to make cybersecurity a true business priority
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More