Hackers Target WordPress Sites to Spread Malware on Windows and Mac
![Hackers Target Wordpress Sites To Spread Malware On Windows And Mac](https://www.techjuice.pk/wp-content/uploads/2025/01/hackers-target-wordpress-sites-to-spread-malware-on-windows-and-mac-techjuice-166321-940x540.jpg)
According to security researchers, thousands of websites are being hacked using old versions of WordPress and plugins. The goal is to deceive users into downloading and installing malware.
Web security firm c/side’s founder and CEO, Simon Wijckmans, said Techjuice on Tuesday that the hacking campaign is “very much live.”
The hackers‘ plan involves spreading malware that can steal sensitive information from users of both Mac and Windows computers, including passwords. According to c/side, several hacked websites rank among the most visited on the internet.
“This is a widespread and very commercialized attack,” Himanshu Anand, who put up the company’s findings, told Techjuice. Anand described the campaign as a “spray and pay” assault, meaning that rather than targeting any one individual or organization, it seeks to compromise everyone who accesses these websites.
How does the Attack Work?
The researchers discovered that when a user loads one of the hacked WordPress sites in their browser, the content swiftly changes to show a false Chrome browser update page. The page then requests that the website visitor install the update so they can continue to see the site. Depending on whether the user is using a Windows PC or a Mac, the hacked website will ask the user to download a malicious file posing as the update if the user approves the update.
According to Wijckmans, they notified Automattic—the makers and distributors of WordPress.com—about the hacking campaign and sent them a list of rogue domains. A contact at Automattic confirmed that they had received their email.
Megan Fox, a spokeswoman for Automattic, did not respond when Techjuice contacted her before publishing.
According to C/side, more than 10,000 websites seem to have been infiltrated by this cyberattack. Wijckmans said the company found harmful scripts on several websites by searching the internet and using a method called reverse DNS lookup. This method helps identify websites linked to a specific IP address, uncovering more sites with these harmful scripts.
Although Techjuice was unable to verify the accuracy of c/side’s data, on Tuesday we observed a single compromised WordPress site that continued to display the harmful content.
How WordPress Exploits Lead to Infostealing Malware?
The malicious websites are pushing two forms of malware: Amos (aka Amos Atomic Stealer) for macOS users and SocGholish for Windows users.
Cybersecurity firm SentinelOne released a report on Amos in May 2023. The malware was classified as an infostealer, meaning it infected computers and stole many login credentials, session cookies, cryptocurrency wallets, and other sensitive data. The hackers then used this information to further breach the victim’s accounts and steal their digital currency. During that time, cybersecurity company Cyble announced that it had discovered hackers offering access to the Amos virus on Telegram.
An expert on macOS security and co-founder of the cybersecurity firm DoubleYou, Patrick Wardle, told Techjuice that Amos is “definitively the most prolific stealer on macOS” and was built using the malware-as-a-service model, wherein the creators and owners of the malware sell it to hackers, who subsequently install it.
Regarding the malicious file discovered by c/side, Wardle said that “the user still has to then manually run it, and jump through a lot of hoops to bypass Apple’s built-in security” in order to install it successfully on macOS.
This is just a friendly reminder to always use the most recent version of Chrome by using its built-in software update feature and to only install apps from trusted sources on your personal devices. Hackers depend on their victims falling for the fake update page and installing malware.
Some of the most significant thefts and data breaches in history have been attributed to password-stealing malware and credential theft. In 2024, hackers used passwords obtained from Snowflake’s clients’ laptops to mass-raided the accounts of business titans that stored their critical data.
Related Posts
Grok 3: xAI’s Latest AI Chatbot Takes on ChatGPT and Deepseek
Musk’s AI company, xAI, has released Grok 3, its most advanced chatbot. It is designed to compete directly with OpenAI’s ChatGPT and Google’s Gemini.…
Pakistan Introduces ‘Pak ID’ Mobile App to Facilitate Visa-on-Arrival
ISLAMABAD: In a significant move to enhance travel convenience, Pakistan has launched the ‘Pak ID’ mobile application, enabling citizens from 120 countries to apply…