Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website

Aug. 14, 2025, 11:02 a.m.

Description

A JavaScript-based malware campaign has been discovered affecting compromised WordPress websites. The malware injects a fullscreen iframe that loads content from suspicious external domains, aiming to force users to view unsolicited content for ad fraud, traffic generation, or social engineering. The infection was found embedded in the WordPress wp_options database table, exploiting the WPCode plugin. The malicious script uses advanced evasion techniques like anti-debugging, function hijacking, and localStorage abuse. It selectively targets Windows users on specific browsers, displaying a fake Cloudflare CAPTCHA page that prompts users to run a suspicious PowerShell command. This attack not only intrudes on user experience but also poses significant security risks, potentially leading to system compromise and damage to website reputation.

External References

https://blog.sucuri.net/2025/08/malicious-javascript-injects-fullscreen-iframe-on-a-wordpress-website.html
https://otx.alienvault.com/pulse/689d9929e2ae3c7ac177ec6a
Tags
javascript
wordpress
fake captcha
anti-debugging
2025-08-14
iframe injection
wpcode plugin
powershell exploitation
fullscreen overlay

Date

  • Created: Aug. 14, 2025, 8:07 a.m.
  • Published: Aug. 14, 2025, 8:07 a.m.
  • Modified: Aug. 14, 2025, 11:02 a.m.

Indicators

  • secretdinosaurcult.com
  • weathersnoop.com
  • adoodlz.com
  • cdnstat.net
  • ampunshifu.org
  • wanderclean.com
Download all indicators here!

Attack Patterns