New Malware Campaign: Fake Java Pop-ups on WordPress Trick Users

Security researchers at Sucuri have uncovered a stealthy malware campaign that hijacks WordPress websites to display fake Java update pop-ups, tricking unsuspecting visitors into downloading malicious executable files. The threat was uncovered when a website owner reported persistent update prompts appearing for visitors.

“This type of deceptive notification is a common tactic used by attackers to compromise website visitors,” writes Puja Srivastava in her detailed analysis.

The infection originated from a malicious plugin found in /wp-content/plugins/contact-form/, posing as the well-known Yoast SEO plugin. The attackers crafted fake plugin metadata to deceive administrators and evade suspicion.

“However, it served a completely different purpose,” Srivastava confirms.

Once activated, the plugin injected a massive inline JavaScript block into every page’s <head>, but only for non-admin visitors. This JavaScript displayed a fake Java update modal—complete with visuals, progress bars, and localized text—targeting Windows users while bypassing macOS, Safari, and mobile devices.

 

The malicious JavaScript handled everything: from displaying the popup to tracking user interactions and initiating a malware download from the domain hxxps://2sopot[.]pl/dw4.php. The downloaded file, disguised as [Random-name].exe, was found to be a Hacktool/trojan, flagged by 13 security vendors on VirusTotal.

“The JavaScript creates a hidden HTML form and submits it, causing the browser to initiate the download,” the report explains.

This file triggered not only a malicious payload but also system process monitoring that informed attackers of any execution attempts via Telegram notifications.

The rogue plugin employed stealth techniques to hide itself from WordPress dashboards, ensuring it wouldn’t appear in the list of installed plugins. Additionally, it used session variables and cookies to control popup behavior and avoid alerting users multiple times.

“The plugin uses sessions and cookies to track user interactions and prevent repetitive pop-ups.”

It then monitored the victim’s system post-download using tasklist (on Windows) or ps aux (on Linux/macOS), looking for suspicious or known remote access tool processes like SSADownloadJava or ScreenConnect.WindowsClient.

This infection is not just a nuisance—it carries real consequences:

• For visitors: Risk of system compromise, browser data exfiltration, and potential botnet recruitment.
• For website owners: SEO penalties, search engine blacklisting, loss of user trust, and costly cleanups.

“At the time of writing this article, 13 websites are infected with this malicious pop-up,” Srivastava warns.

Related Posts:

• Beware of Fake Google Chrome Update Pop-Ups: Malicious Campaign Targets Hundreds of Websites
• Cybercriminals Target Gamers with Browser-in-the-Browser Phishing Attacks