Hackers Hijacking WordPress Sites to Spread Windows and Mac Malware

Cybercriminals are actively exploiting outdated WordPress versions and vulnerable plug-ins to hijack thousands of websites, using them as a delivery mechanism for malware targeting both Windows and macOS users. Security researchers warn that this large-scale attack is still ongoing, posing a significant threat to unsuspecting visitors.

Massive WordPress Exploitation Campaign

According to cybersecurity firm c/side, the attack campaign is designed to spread malware that steals passwords, financial credentials, and other sensitive personal data. Many of the compromised websites rank among the most popular sites on the internet, significantly increasing the risk of infection for visitors.

“This is a widespread and highly commercialized attack,” said Himanshu Anand, a researcher at c/side. He described it as a “spray and pay” method, meaning that instead of targeting specific individuals or organizations, hackers indiscriminately aim to infect as many users as possible.

How the Attack Works?

When a user visits an infected WordPress site, the page loads normally but then quickly redirects to a fake Google Chrome update page. The deceptive page prompts visitors to download and install what appears to be a browser update. However, this file is actually a piece of malware tailored to the user’s operating system.

• Windows Users: The malware delivered is identified as SocGholish, a well-known Windows trojan used to steal credentials and inject additional malicious payloads.
• Mac Users: The malware pushed to macOS devices is called Amos (Atomic Stealer), an infostealer that can extract login credentials, crypto wallets, and other sensitive data.

Security researchers caution that while this method relies on social engineering rather than advanced exploits, it remains effective due to the realistic nature of the fake update prompt. Once the malware is executed, it can steal passwords, cookies, and financial data, giving attackers full access to the victim’s online accounts.

Security Firms Sound the Alarm

Simon Wijckmans, CEO of c/side, confirmed that they have alerted Automattic, the parent company of WordPress, providing them with a list of malicious domains used in the campaign. Automattic acknowledged the report, but no official statement has been made as of yet.

c/side’s research revealed over 10,000 compromised websites, with malicious scripts embedded across multiple domains. Their findings were based on advanced web crawling and reverse DNS lookups, which helped them identify patterns in the distribution of the attack.

• MacOS Malware

While Windows has long been a target of malware campaigns, macOS threats are rapidly increasing. The Amos (Atomic Stealer) malware has been circulating in underground hacker forums and is available as malware-as-a-service, where cybercriminals can rent or purchase the software to deploy in attacks.

Patrick Wardle, a macOS security expert and co-founder of cybersecurity firm DoubleYou, highlighted that Amos is currently one of the most active macOS infostealers. However, for the malware to successfully install, a macOS user must manually run the file and bypass Apple’s built-in security protections.

How to Stay Safe?

This attack campaign serves as a strong reminder to practice cybersecurity best practices:

1. Keep WordPress and Plug-ins Updated: If you own a WordPress site, ensure your core software, themes, and plug-ins are always up to date to prevent exploitation.
2. Never Download Updates from Pop-ups: Google Chrome and other browsers have built-in update features. Always update through the official settings.
3. Enable Multi-Factor Authentication (MFA): Even if your credentials are stolen, MFA can add an extra layer of security to prevent unauthorized logins.
4. Use Security Plug-ins: WordPress site owners should install security plug-ins like Wordfence or Sucuri to detect and block threats in real time.
5. Scan Your Device for Malware: Regularly run security scans using trusted antivirus or anti-malware software to detect potential infections.
6. Monitor Your Accounts for Suspicious Activity: If you suspect your credentials were stolen, immediately change your passwords and check for unauthorized logins.

Inshort

With hackers continuously evolving their tactics, website owners and internet users must remain vigilant. Exploiting outdated software remains one of the most effective ways for cybercriminals to launch widespread attacks. Keeping WordPress installations updated and practicing safe browsing habits can help mitigate these risks.

The recent surge in WordPress-related malware attacks demonstrates the importance of proactive security measures. Whether you’re a site owner or a visitor, staying informed and following cybersecurity best practices can protect you from falling victim to these malicious campaigns.