Threat actors are targeting unprotected WordPress sites in an effort to deploy Raccoon Stealer and the NetSupport Remote Access Trojan (RAT). Visitors of the affected sites will be greeted with what appears to be a DDoS protection screen, something that most internet users are familiar with. An option to bypass the protection screen is available to the user, but instead of simply getting rid of the screen, an ISO file is downloaded. After that download is complete and the file is opened, users are presented with an additional file, security_install[.]exe, that executes a PowerShell command that downloads the malware and installs it on the system.