An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.

Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”

To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user’s machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.

In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.

Earlier this month, researchers noticed a spike in the number of compromised sites that were injected with malicious code attached to the end of legitimate JavaScript files.