Red cloud with skull and crossbones leaching into a digital web below

WordPress sites compromised with bogus DDoS alert used to spread malware

Cybercriminals are attacking WordPress sites to produce fake Cloudflare DDoS protection pages that download malware that includes the NetSupport RAT and the password-stealing Trojan RaccoonStealer.

On the internet, DDoS (distributed denial of service) protection screens are widespread. They shield websites from bots that ping them with faulty requests to overload them with junk traffic. Users often come across “DDoS Protection” pages when simply browsing the internet.

These DDoS protection sites are frequently linked to browser tests run by WAF/CDN services that determine if a site visitor is really a person or a part of a Distributed Denial of Service (DDoS) attack. WordPress sites have been the focus of an increase in JavaScript injections recently, which has led to fake DDoS prevent warnings that direct users to download malware with remote access.

Internet customers view these welcome pages as an acceptable, short-term inconvenience that keeps their favourite web services safe from malicious actors. This familiarity provides a good chance for malware attacks.

DDoS Mitigation

Threat actors are exploiting WordPress sites with weak security to inject a JavaScript payload that presents a false Cloudflare protection DDoS screen, according to a research by Sucuri.

Bots are computer programs that automatically search the internet for websites. A few bots are helpful and even necessary for the modern web to work. The content of webpages is scanned and indexed by crawlers like GoogleBot, BingBot, and Baidu Spider.

On the other side, a larger percentage of online traffic is caused by malicious bots. These include DDoS attacks, scrapers that eat email addresses to send phishing, bots that look for weak websites to exploit, content pirates, and more.

Bots consume a lot of website bandwidth, which raises hosting fees and messes with the accurate tracking of website visitors. DDoS prevention services and CAPTCHAs are almost universally used on websites as a result of the gradual growth in bad bot traffic that has driven many of them to block them or otherwise prevent it.

DDOS captcha human verification
CAPTCHA to verify human intervention (Sucuri)

Fake DDoS Protection Alerts

Attackers are now using well-known security tools in their own malware attacks. A malicious JavaScript injection that causes a bogus Cloudflare DDoS protection popup has just been found by Sucuri to be affecting WordPress sites.

This screen, which is seen below, asks the user to click a button to go around the DDoS protection screen. A file called “security install.iso,” which seems to be a programme needed to get beyond the DDoS verification, will be downloaded to the machine when the button is clicked.

Code request Verification
False warning for DDoS protection (Sucuri)

Since these kinds of browser checks are so prevalent online, many users wouldn’t hesitate before clicking this alert to access the website they’re seeking to visit. On the victim’s PC, the popup downloads a malicious.iso file.

The victims are then instructed to run security install.iso, which they pose as being a programme named DDOS GUARD, and input the code shown.

A verification code is present in the.iso file (Sucuri)

A file named security install.exe, which is actually a Windows shortcut that executes a PowerShell command from the debug.txt file, can be found when a user opens the security install.iso.

Jerome Segura at MalwareBytes:

NetSupport RAT has been connected to FakeUpdates/SocGholish and is frequently used to screen victims prior to ransomware distribution. The ISO file includes a shortcut that launches powershell from a different text file under the idea of an executable. RaccoonStealer is also configured by it. After then, depending on the victim, anything can happen.

Install.iso's content
Install.iso’s content (BleepingComputer)

Finally, this results in the execution of a series of scripts that show the bogus DDoS code required to see the site and install the NetSupport RAT, a remote access trojan that is widely employed in harmful campaigns nowadays. The scripts will download and start the device’s Raccoon Stealer password-stealing malware.

RecooonStealer Password
Fake Cloudflare DDoS defence (Sucuri)

In June of this year, when its developers launched the second version and made it accessible to cybercriminals via a subscription model, Raccoon Stealer resumed its activities.

In addition to targeting a variety of cryptocurrency wallets, Raccoon 2.0 may also cause file data leakage and take images of the victim’s desktop. It also targets passwords, cookies, auto-fill information, and credit cards saved on web browsers.


WordPress site administrators should verify their theme files since Sucuri reports that here is where this campaign’s attacks are most often made. The security and privacy of every person who visits your website are at risk, not simply your SEO rankings or your website’s reputation. In order to penetrate computers and infect unknowing users with malware, malicious actors will use all means at their disposal.

jquery.min.js malware
Jquery.min.js has malicious code (Sucuri)

It is recommended to use file integrity monitoring tools to stop RAT spread by spotting those JS injections as they arise. By turning on tight script blocking settings on their browser, internet users may protect themselves against such risks, but doing so will make practically all websites unusable.

A good antivirus application should be running on your computer. Regularly Update and patch your computer’s software, including your browser. Even if you download ISO files accidentally, do not unpack or run their contents, doing so is not a valid or required anti-DDoS process.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts