A widespread malware campaign has compromised thousands of WordPress sites, using deceptive plugins to deliver harmful scripts disguised as software updates and error messages.

According to GoDaddy, the threat actors behind the malicious operations, ClearFake and ClickFix, compromised more than 6,000 WordPress websites.

“The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins,” explains GoDaddy security researcher Denis Sinegubko.

“These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users,” GoDaddy’s security advisory reads. “This technique leverages social engineering strategies to trick users into executing malicious code, ultimately compromising their systems with various types of malware and information stealers.”

Cybercriminals gain access to websites using stolen login credentials, allowing them to install fake plugins on compromised WordPress sites. Once these plugins are active, they inject malicious JavaScript into the website, which includes a version of malware disguised as a browser update.

This malware uses blockchain technology and smart contracts, a technique called EtherHiding, to securely deliver harmful code. When the script runs in a visitor’s browser, it displays a fake update notification to trick the user into downloading malware. This often leads to the installation of remote access trojans or information-stealing software like Vidar Stealer and Lumma Stealer, which compromise the victim’s system.

Between June and September 2024, the following malicious plugins were detected: LiteSpeed Cache Classic MonsterInsights Classic, Wordfence Security Classic, Search Rank Enhancer, SEO Booster Pro, Google SEO Enhancer, Rank Booster Pro, Admin Bar Customizer, Advanced User Manager, Advanced Widget Manager, Content Blocker, Custom CSS Injector, Custom Footer Generator, Custom Login Styler, Dynamic Sidebar Manager, Easy Themes Manager, Form Builder Pro, Quick Cache Cleaner, Responsive Menu Builder, SEO Optimizer Pro, Simple Post Enhancer, and Social Media Integrator.

ClearFake, first seen in 2023, used compromised websites to display fake browser update notifications, tricking users into downloading information-stealing malware. ClickFix, emerging in 2024, employs a similar approach, but instead of browser updates, it presents fake software error messages with malicious “fixes” that install malware when executed.