Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious
infostealing payloads
, after using stolen credentials to log in to and infect thousands of websites.
Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.
Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated to any known vulnerabilities in the WordPress ecosystem, GoDaddy principal security engineer Denis Sinegubko
wrote
in a recent blog post.
These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users, he wrote.
The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, ultimately compromising their systems with various types of malware and information stealers, Sinegubko explained.
It should be mentioned that
ClearFake
, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later
spread to macOS
as well.
Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts
have numerous differences
and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint
detailed ClickFix
for the first time earlier this year.
The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as Advanced User Manager and Quick Cache Cleaner, according to the post.
These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users, Sinegubko wrote.
All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldnt raise suspicion immediately, according to GoDaddy.
Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with -script.js.
For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.
The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in dont actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which indicates an automated process behind the creation of these malicious plugins, Sinegubko wrote.
Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages, Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.
GoDaddy isnt clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames.
Moreover, as the payloads of the campaign itself are the installation of
various infostealers
on compromised end-user systems, its possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.
When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs, he noted.
Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a
botnet of infected computers
that the attackers use as proxies to hack websites, according to GoDaddy.
Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.
GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers