A new malware campaign is targeting WordPress websites by using a malicious plugin that pretends to be a security tool. This plugin tricks users into installing and trusting the tool.
Researchers at Wordfence discovered that the malware gives attackers persistent access, allows them to execute code remotely, and inject JavaScript into pages. At the same time, the plugin hides itself in the system, making it invisible in the plugin overview and thus evading detection.
The malware was first detected in late January 2025 while cleaning up an infected website. A modified version of the wp-cron.php file was found. This file automatically creates a malicious plugin called WP-antymalwary-bot.php and activates it.
Multiple plugin files
The campaign also uses other plugin files with names such as addons.php, wpconsole.php, wp-performance-booster.php, and scr.php.
Even if an administrator removes the plugin, the wp-cron.php file will automatically recreate and activate it the next time the site is visited.
Due to the lack of server logs, the exact path of infection is difficult to determine. Wordfence suspects that the infection occurs via a compromised hosting account or stolen FTP login details.
Link to Cyprus
Little is known about those responsible. However, the command & control server is located in Cyprus, and the attack shows characteristics reminiscent of a supply chain attack from June 2024.
After activation, the plugin first checks its own status and then grants the attacker administrator rights. According to Wordfence, this is done via a function that allows access to the administrator dashboard when a specific password is entered via a specific URL parameter. The plugin then retrieves an administrator account from the database and logs the attacker in as that user.
The plugin then sets up a special REST API channel that does not require authentication. This allows arbitrary PHP code to be inserted into the header.php files of active themes, plugin caches to be emptied, and additional commands to be processed via POST parameters.
A more recent version of the malware is also capable of decoding JavaScript in base64 format and inserting it into the <head> section of the website. This is presumably done to display advertisements, spam, or malicious redirects to visitors.
Pay attention to server logs
In addition to checking for suspicious plugin files, website administrators are advised to check their wp-cron.php and header.php files for unwanted changes. Server logs containing entries such as emergency_login, check_plugin, urlchange or key may also indicate an infection and warrant further investigation.