Malware

ClickFix Malware Infect Website Visitors Via Hacked WordPress Websites

Researchers have identified a new variant of the ClickFix fake browser update malware distributed through malicious WordPress plugins.

These plugins, disguised as legitimate tools, inject malicious JavaScript code into compromised websites, tricking users into installing malware. 

The malware uses blockchain technology to obtain malicious payloads, exploiting social engineering tactics to deceive victims. 

Over 6,000 websites worldwide have been affected by this recent variant, which spreads malware through fake plugins like “Advanced User Manager” and “Quick Cache Cleaner.”

The malicious actors behind these plugins leverage automation to create many seemingly legitimate plugins with fake metadata. These plugins inject malicious scripts into WordPress pages by exploiting the wp_enqueue_scripts functionality.  

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Plugin code Plugin code 
Plugin code

The actors also add a redundant wp_head hook that seems to disable other wp_head actions, but this serves no practical purpose.

Interestingly, the .DS_Store files found within the fake plugin directories are identical and can potentially be used as Indicators of Compromise (IoCs) for detection purposes.

Attackers injected malicious scripts with identical hashes into various plugins, as these scripts loaded an Ethereum library and interacted with a smart contract on Binance Smart Chain. 

Example of ClickFix fake Chrome browser update pop-up dialog.

Browser Update pop-ups to visitors based on browser information. 

Some compromised sites now have seemingly benign, empty scripts with recent modification dates, suggesting a partial cleanup attempt by the attackers.  

Attackers launched a ClickFix campaign in June 2024, injecting malicious JavaScript into over 6,000 WordPress sites, which was achieved by either compromising existing plugins or deploying fake plugins disguised as popular ones. 

repository was created on August 23, 2024

These fake plugins, often with “Classic” added to their names, contained a single file injecting the script using the high-priority “wp_head” hook.

The attackers also started using disposable Github and BitBucket repositories to host their payloads, making detection and takedown more challenging.  

The attack involved a series of automated actions executed by a threat actor using stolen WordPress admin credentials.

The actor logged into a vulnerable website and immediately uploaded a malicious plugin, which was activated and then used to distribute fake browser updates.  

executable JavaScript code

The attack was highly efficient, with each session lasting only a few minutes. The attackers likely acquired WordPress admin credentials through brute force attacks, phishing campaigns, or by exploiting malware on the website owners’ computers.

They then used these credentials to install malicious plugins on the websites. 

According to GoDaddy, using legitimate credentials for malicious purposes mirrors past attacks where FTP credentials were stolen and used to compromise websites.

The fake plugins may have been installed from a botnet of infected computers, acting as proxies to hide the attackers’ true origin.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field Communication…

2 hours ago

Threat Actors Leverage TAG-124 Infrastructure to Deliver Malicious Payloads

In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored entities,…

2 hours ago

Ransomware Actors Ramp Up Attacks Organizations with Emerging Extortion Trends

Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86%…

2 hours ago

New SMS Phishing Attack Weaponizes Google AMP Links to Evade Detection

Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites, with…

3 hours ago

Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations

Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat…

3 hours ago

Hackers Weaponize Google Forms to Bypass Email Security and Steal Login Credentials

Threat actors are increasingly leveraging Google Forms, the tech giant’s widely-used form and quiz-building tool,…

4 hours ago