10,000 WordPress Sites Hacked To Spread Malware

Over 10,000 WordPress websites have been hacked to distribute malware targeting both Windows and macOS users, security researchers at c/side revealed this week.

Attackers injected malicious JavaScript into outdated WordPress sites, tricking visitors into downloading fake browser updates that install harmful software.

The cybercriminals behind this campaign injected malicious JavaScript into vulnerable WordPress sites. When a visitor lands on an infected page, their browser loads a fake update prompt inside an invisible frame. If a user downloads and installs the supposed update, they unknowingly infect their device with malware.

This method marks a shift from previous tactics, as it is the first known instance of AMOS and SocGholish being delivered through a client-side attack. Instead of redirecting users to a separate malicious site, the malware is injected directly into their browser session.

The AMOS malware is designed to steal sensitive data from Mac users, including passwords, credit card information, and cryptocurrency wallets. It is sold on hacker forums and Telegram channels, making it easily accessible to cybercriminals.

SocGholish, which targets Windows users, is often used to install additional malware, such as ransomware or keyloggers, by disguising itself as a legitimate software update.

The hackers likely gained access to these WordPress sites by exploiting outdated plugins and themes. Since many websites do not have active monitoring for client-side attacks, the malicious scripts went undetected for an extended period.

Security experts identified several suspicious domains involved in the attack, including **blackshelter[.]org** and **blacksaltys[.]com**, which redirected users to malware-hosting sites. The malicious script was also found on a widely used content delivery network, making detection more difficult.

To stay safe, website owners are urged to update their WordPress installations and plugins, check for unusual scripts, and remove any suspicious files. Users who may have downloaded files from infected sites should run a full system scan and check their devices for malware.

The campaign highlights the growing threats posed by cybercriminals exploiting website vulnerabilities to infect users with malware. Security researchers are continuing to monitor the attack and warn that more compromised websites may still be spreading the infection.