Security experts have flagged a major problem involving thousands of WordPress websites. Through a malicious script, visitors are presented with a page that appears to be a genuine browser update. Once opened, that page can trick both Windows and macOS users into installing unwanted software.
A Belgian security company named c/side has reported over 10,000 compromised sites that load these counterfeit update prompts. The files deployed come in two versions: SocGholish for Windows systems and AMOS (Atomic macOS Stealer) for Apple computers.
Investigators revealed that the attackers take advantage of older WordPress releases and outdated plugins. This practice hides malicious code in areas many site owners might not check. As soon as a visitor accesses the site, the browser receives a script that halts normal activity, purges standard attributes from page elements, and then inserts a deceptive iframe.
According to c/side, the threat is still active, and some infected websites are ranked highly in online traffic metrics. The group alerted the primary firm behind WordPress, Automattic, and shared data on the malicious domains found in the campaign.
What Is The Main Goal?
The core intent is to lure users into downloading a software update that is anything but genuine. Once a visitor clicks the prompt, a file arrives that disguises itself as a new Chrome release. Users who open this file expose their systems to a program designed to capture login details, session tokens, and other personal data.
For Windows, the malware is SocGholish, a known tool in the underground market. It can harvest passwords and intercept credentials, giving hackers an advantage when seeking to break into further accounts. Meanwhile, macOS users face AMOS, also known as Atomic macOS Stealer, which follows a comparable method in collecting private data.
Developers behind these malware products offer them as purchasable packages, often through messaging channels such as Telegram. This arrangement means that many different groups may use the same code, intensifying the reach of the threat. As a result, a single infected site can spread more than one malicious file, targeting different operating systems simultaneously.
How Are These Websites Compromised?
C/side discovered that many site owners still use WordPress 6.7.1 or carry over plugins that have not been patched in a long time. Attackers apparently inject hidden code into these outdated setups, directing web browsers to script files stored on domains such as blackshelter.org or blacksaltys.com.
These scripts then remove key elements on the page, such as design attributes, and present a pop-up iframe that shows a bogus update notification. Visitors who agree to that prompt inadvertently pick up the malicious download. This tactic draws on human error and user trust, making it effective on a large scale.
Investigators searching through the compromised WordPress installations at c/side detected a file on deski.fastcloudcdn.com that appeared heavily obfuscated. Analysis revealed multiple layers of encoding, and each site that loaded the script ended up redirecting visitors toward the fake update page.
Further clues became visible from the presence of link elements in the HTML code. These elements instructed browsers to prefetch DNS lookups for domains such as rednosehorse.com and objmapper.com, possibly speeding up the malicious process. The chain of redirections then led users straight to files that disguised themselves as a Chrome patch.
What Can People Do?
C/side advises website owners to upgrade their WordPress core and all plugins without delay. Removing any unneeded add-ons is also recommended to reduce the risk of hidden backdoors. Regular checks of system logs may help spot suspicious activity and show when a plugin was modified.
Anyone who unknowingly downloaded files from these infected websites should perform a full scan on their system. Windows users can turn to reputable antivirus programs, and Mac owners may want to confirm downloads through official channels before opening them. If there is any doubt, quarantining the file or seeking professional security guidance is a wise move.
The scheme hinges on fooling visitors into trusting a bogus browser update. Checking browser updates through official menus is always safer than installing unexpected files from a site. These measures, combined with caution, can greatly reduce the chances of falling victim to this malware campaign.
