A new social-engineering tactic is targeting WordPress sites with a convincing “Java Update” pop-up. It looks legitimate, but it’s designed to trick visitors into downloading malware. Here’s what’s happening and how to protect your business website.

What’s going on

Attackers are disguising a rogue plugin inside /wp-content/plugins/contact-form/ and giving it credible-sounding details (for example, pretending to be a popular SEO tool). Once active, it injects a large block of JavaScript into the <head> of pages for non-admin users, displaying a fake software update with progress bars and buttons.

Clicking the prompt triggers a download from a third-party domain and attempts to run a malicious Windows executable. The plugin then hides itself from the normal WordPress plugins list to avoid discovery, uses cookies to prevent the pop-up from reappearing immediately, and sends attacker notifications when it detects new processes running on a visitor’s computer.

How the trap works (in plain English)

• Looks trusted: The plugin carries fake name/metadata to lull site owners into leaving it enabled.
• Shows a system-style pop-up: A script renders a realistic “Java update” window to visitors who aren’t logged in as admins, focusing on Windows users.
• Triggers a download: The “Update” button silently submits a hidden form to a remote server to deliver a .exe file.
• Tracks execution: The malware polls for new processes (e.g., the downloaded installer) and alerts attackers via Telegram when it runs.
• Stays stealthy: It hides from the dashboard and manages sessions/cookies so it’s less obvious during spot checks.

Why this matters to your business

• Trust & reputation: Visitors confronted with suspicious pop-ups lose confidence and may never return.
• SEO & discoverability: Infections can lead to browser or search engine warnings, cutting organic traffic overnight.
• Compliance & liability: If customer devices are infected after visiting your site, you may face complaints and reporting obligations.
• Revenue impact: Interrupted journeys mean fewer enquiries and sales — and higher recovery costs later.

Warning signs to look for

• Visitors report a “Java update” or software-style pop-up on your site.
• Unrecognised plugins or folders (e.g., /wp-content/plugins/contact-form/) that don’t match your installed tools.
• Plugins missing from the WordPress admin list despite being present on disk.
• Unexpected outbound requests to unfamiliar domains.

What to do now (quick response)

1. Place the site behind a WAF: Use a web application firewall to block malicious traffic while you investigate. A WAF adds a protective layer without changing your server.
2. Disable & remove the rogue plugin: Via SFTP/SSH, rename or delete the suspicious plugin directory, then remove it in the dashboard.
3. Scan for malware: Run a server-side scan to detect injected JavaScript, backdoors and modified core files. Follow with a thorough malware removal.
4. Rotate keys & passwords: Update all admin, database and hosting credentials and enable two-factor authentication.
5. Check outbound connections: Review logs for connections to unknown domains and block them at the firewall.
6. Restore if necessary: If you have clean backups, restore the site and immediately apply updates and hardening.

Prevention and ongoing protection

• Managed updates: Keep WordPress core, plugins and themes current to close known vulnerabilities. Managed WordPress maintenance reduces lag between patches and deployment.
• Trusted sources only: Install plugins/themes from reputable developers. Remove anything you don’t use.
• Security monitoring: Continuous monitoring alerts you to file changes, suspicious requests and integrity issues before they escalate.
• Least-privilege access: Limit admin accounts, use strong, unique passwords, and enforce 2FA for all users.
• Web application firewall (WAF): Filter attacks and exploit attempts before they reach your site, and add virtual patching for emerging threats.
• Regular backups: Keep automated, off-site backups so you can recover quickly after malware removal.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

If you’ve seen suspicious pop-ups or unusual downloads on your site, we can help with calm, practical remediation and ongoing WordPress security. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.