CyberSecurity news
FlagThis
@securityonline.info
//
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site.
Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites.
ImgSrc: securityonline.
References :
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site.
Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites.
ImgSrc: securityonline.
Share:
References :
- hackread.com: WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…
- securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- www.bleepingcomputer.com: WordPress plugin disguised as a security tool injects backdoor
- The DefendOps Diaries: Protecting WordPress Sites from Malicious Plugin Campaigns
- BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- Talkback Resources: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code [app] [mal]
- BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- bsky.app: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- The Hacker News: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
- BleepingComputer: WordPress plugin disguised as a security tool injects backdoor
- securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- Talkback Resources: Talkback - Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
- Talkback Resources: Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers [net] [mal]
- bsky.app: bleepingcomputer.com/news/security/wordpress-plugin-disguised-as-a-security-tool-injects-backdoor/
Classification:
- HashTags: #WordPress #Malware #Security
- Company: WordPress
- Target: WordPress Sites
- Product: WordPress
- Feature: Remote Code Execution
- Malware: WP-antymalwary-bot.php
- Type: Malware
- Severity: Major