A chilling illustration of a hacked WordPress site, using visitors' browsers for a distributed brute-force attack. The site's homepage is filled with a sea of distorted, overlapping text, while a menacing, cyberpunk-inspired hacker avatar looms in the background. Visitors' browsers are shown as connected nodes in a dark, sprawling network, illustrating the scale of the attack.

Hacked WordPress sites use visitors’ browsers for distributed brute-force attacks.

According to Sucuri’s latest research, threat actors are using malicious JavaScript injections to launch brute-force assaults against WordPress sites.

The widespread brute-force assaults “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” according to security expert Denis Sinegubko.

The action is part of a previously known assault wave in which hijacked WordPress sites were exploited to directly insert crypto drainers like Angel Drainer or lead site users to Web3 phishing sites with drainer malware.

The most recent edition is significant in that the injections, which have been detected on over 700 sites to far, do not load a drainer but instead brute-force other WordPress sites using a list of popular and stolen credentials.

The assault occurs in five steps, allowing a threat actor to use previously hacked websites to execute distributed brute-force attacks against additional prospective victim sites. –

Getting a list of target WordPress sites.
Extracting the true usernames of writers who post on such sites.
Inject malicious JavaScript code onto already-infected WordPress sites.
When users arrive on the compromised sites, they launch a widespread brute-force assault on them via the browser.
Obtaining unauthorized access to target sites
“For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request,” he said. “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”

It’s unclear what caused the threat actors to convert from crypto drainers to widespread brute-force attacks, but it’s possible that the transition was motivated by profit, since hacked WordPress sites may be monetized in a variety of ways.

However, Scam Sniffer data shows that crypto wallet drainers caused losses of hundreds of millions of dollars in digital assets in 2023. The Web3 anti-scam solution supplier has subsequently discovered that drainers use the normalization process in the wallet’s EIP-712 encoding mechanism to avoid security alarms.

The news comes after the DFIR investigation showed that threat actors are using a serious hole in a WordPress plugin called 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to install the Godzilla web shell for permanent remote access.

It also follows a new SocGholish (aka FakeUpdates) operation targeting WordPress websites, in which JavaScript malware is transmitted via modified versions of legal plugins installed using compromised admin credentials.

“Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack,” Ben Martin, a security researcher at Microsoft, said.


Scroll to Top