EXECUTIVE SUMMARY:
A new malicious campaign has been observed that targets WordPress administrators through deceptive plugin activity, aiming to compromise both websites and their visitors. In this attack, threat actors are distributing a seemingly benign-looking WordPress plugin that is, in fact, engineered to trigger fake browser update prompts. These forged alerts exploit user trust, prompting visitors to download and execute harmful software under the guise of legitimate browser updates, thereby expanding the attacks reach beyond just the infected WordPress installations.
The malicious plugin embeds JavaScript or HTML code that triggers convincing fake browser update dialogs within the WordPress admin interface. These dialogs are crafted to resemble authentic notifications from widely used browsers, prompting administrators to download or run purported updates. The injected assets can originate from attacker-controlled infrastructure, and upon interaction, may initiate downloads of secondary payloads or redirect the admin to external sites hosting malware. Attackers often gain the ability to install these plugins after obtaining valid administrative credentials, allowing the malicious code to persist within the sites plugin directory and influence pages rendered in the admin dashboard. This abuse of plugin installation and script injection techniques enables a seamless social engineering vector that evades casual inspection and exploits admin trust in routine update prompts.
This campaign highlights the continued risks inherent in plugin-based ecosystems where seemingly innocuous extensions can mask harmful functionality. WordPress site owners should exercise increased caution when installing third-party plugins, especially those not sourced from trusted repositories, and routinely audit installed components for unexpected behavior. Regular scanning, strict access controls, and vigilant monitoring of both backend systems and frontend responses can help mitigate the risk of similar social-engineering and malware delivery schemes.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| T1543.003 | Create or Modify System Process | Windows Service | |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| T1027.002 | Obfuscated Files or Information | Software Packing | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | — |
REFERENCES:
The following reports contain further technical details: