We recently investigated a case involving a WordPress website where a customer reported persistent fake pop-up notifications appearing on their site. The warnings were urging them to update their browser (Chrome or Firefox), even though their software was already fully up-to-date.
What made this case particularly unique was the targeting. The fake alerts were not visible to regular visitors on the public-facing site. They only appeared when the site owner was logged into the wp-admin dashboard.
What We Observed
During our investigation, we found a malicious plugin named Modern Recent Posts, pretending to be a harmless widget plugin. In reality, it downloaded and executed remote JavaScript from an external domain.
We have seen waves of similar social engineering attacks in the past, like fake Java updates, fake Cloudflare CAPTCHAs, and Windows system alerts. However, this new campaign targeting wp-admin users is utilizing a malicious plugin to hide in plain sight.
The malicious domain backing this campaign, persistancejs[.]store, is currently detected on 28 websites, suggesting this is an active and emerging threat.
Compromise Indicators
The infection leaves behind several clear signs.
- A plugin named “Modern Recent Posts” was installed without the owner’s knowledge.
- Malicious script injection inside admin pages.
- The most important IoC is the domain used to fetch malicious JavaScript: hxxps://persistancejs[.]store/jsplug/plugin[.]php
Analysis of the Malware
Below is a technical breakdown of the malicious behavior inside the fake plugin.
1. Targeted Delivery System
The malware is designed to be stealthy. It does not want to waste its payload on bots, crawlers, or non-Windows users (who cannot run the .exe file it drops).
It uses a specific function is_windows_ua to check the visitor’s User-Agent string. It explicitly looks for “Windows,” “Win32,” or “Win64.”
The injection logic then combines this check with WordPress permissions. It ensures the payload only fires if:
- The user is an administrator (current_user_can(‘manage_options’)).
- The user is currently on the dashboard (is_admin()).
- The user is on a Windows machine.
If these conditions are met, it executes a Base64 encoded JavaScript payload.
2. Remote Payload Download from external domain
This is the most important malicious function in the plugin. The plugin sends the following information to the attacker:
- Site hostname
- Admin username
It then downloads a base64-encoded JavaScript payload from the attacker’s server. The plugin injects this script into the admin dashboard. Whatever the attacker provides will run inside the browser with admin privileges.
This is exactly how the fake browser update pop-ups are displayed.
3. The Fake Java Update Payload
The script also generates a fake Java update pop-up. It is designed to appear authentic and urgent.
Once decoded by the browser, the script injects a high-priority overlay that blocks the screen. It uses classic social engineering language, warning of a “Critical Java Update Required” and claiming the environment is “severely outdated” to prevent “security breaches.” If the administrator clicks the “UPDATE NOW” button, the script triggers a forced download from a remote malicious domain, secure-java-update[.]com.
4. Persistence and Auto-Update Mechanism
The malware includes a crucial back-end function, which handles remote updates and self-destruction.
It listens for a special URL parameter ?upd=1. If an attacker triggers this URL, the plugin deletes its own local files and directory recursively, then immediately downloads a fresh copy from the Command & Control (C2) server persistancejs[.]store.
This functionality allows the attackers to update their malware version, switch the type of fake alert (e.g., from Java to Chrome), or effectively wipe their tracks and reinstall the backdoor after detection.
Effects on the compromised site
The impact of this malware is two-fold. First, it compromises the WordPress environment by installing a backdoor that ensures the attacker maintains access to the website even if passwords are changed.
Second, and more dangerously, it targets the administrator’s physical device. By tricking the admin into clicking the “Java Update” or “browser update” button, the attacker aims to infect the local computer with a Remote Access Trojan (RAT), ransomware, or information stealer. This could lead to a total compromise of the administrator’s personal data and any other websites they manage.
Remediation and Prevention Tips
- Remove malicious files: Delete any plugin directory that you or your developer do not recognize.
- Audit users: Remove the help account and any other suspicious administrators.
- Reset credentials: Change all WordPress, FTP, hosting, and database passwords.
- Scan Your Computer: If you or any other administrator clicked the “UPDATE NOW” button, assume the local computer is compromised. Run a full antivirus and malware scan on the device.
- Update everything: WordPress core, plugins, and themes should be patched to the latest versions.
- Monitor outgoing traffic: Look for connections to unknown or suspicious domains. This requires looking at server logs.
- Use a WAF: A Web Application Firewall can help block communication with known C2 servers and prevent the initial upload of malicious plugins.
Final Thoughts
This campaign demonstrates a highly focused attack on high-value targets, the WordPress administrators. By deploying a fake browser update pop-up specifically within the wp-admin area, attackers leverage the trust and urgency associated with security updates to achieve a devastating compromise of the user’s local machine.
Always verify the source of any critical update. Real software updates will come from the operating system or the official application itself, never from an unsolicited HTML overlay on a website.
Mohit Jawanjal
Denis Sinegubko
Rianna MacLeod
John Castro
Luke Leal
Ben Martin
Marc-Alexandre Montpas
Alycia Mitchell