WordPress Websites Compromised With Fake DDoS Protection Page

Systems Networks
Advisory ID:
August 23, 2022


Threat actors are targeting WordPress-powered websites by injecting a malicious Javascript payload that displays a bogus CloudFare DDoS (Distributed Denial of Service) protection page. Because such DDoS checks have become the norm while browsing the web, unsuspecting internet users will be duped into believing it is genuine, and will be infected with a RAT (Remote Access Trojan) and Information-Stealer as a result.

Description & Consequence

WordPress sites with insufficient security are the target of this scheme, with actors taking advantage of this to inject malicious Javascript code. When such a website is visited, a bogus CloudFare DDoS protection page appears, prompting the visitor to "click here." When they click the link, a file called 'security_install.iso' is downloaded, and they are taken to a page that asks for a "Personal Verification Code from the Application DDOS GUARD." This action attempts to trick the visitor into installing the downloaded file, and while doing so does provide a verification code, it also installs a NetSupport RAT and the information-stealing malware Raccoon Stealer.

The aftereffects of installing the ‘security_install.iso’ file are numerous. This includes but is not limited to:

  1. The exfiltration of login credentials that may result in account takeover.
  2. Theft of certain information stored by the web browser such as auto-fill data, cookies and debit card information.
  3. Actor will be able to monitor victim’s computing activity and access system information.
  4. With NetSupport RAT installed, the device can be infected with other malware (e.g. ransomware).


The countermeasures that should be taken differs depending on whether one is a website administrator or an internet surfer. As a website admin one should take the following measures:

  1. Ensure that the website is safeguarded by a reliable firewall.
  2. Make sure all web administration software is up-to-date.
  3. Make use of file integrity monitoring systems.

However, if one are an internet user, then these are the following measures one should put to use:

  1. Install a reliable anti-virus software that has internet security and is always up-to-date.
  2. Always enable MFA (Multi-Factor Authentication) on all services.
  3. Do not click on strange links! Refrain from installing dubious downloads.
  4. Always make sure internet browser is up-to-date.
  5. If an advanced user, enable script blocker in browser.  



Related Articles