Cybersecurity researchers have uncovered a new attack targeting WordPress websites, where attackers are disguising malicious software as a security plugin. This malware, known as “WP-antymalwary-bot.php,” has a range of features that allow attackers to maintain access, hide itself in the admin dashboard, and execute remote code.
According to Marco Wotschka from Wordfence, the plugin includes several malicious functions. These functions allow it to report to a command-and-control (C&C) server, spread malware to other directories, and inject malicious JavaScript responsible for delivering unwanted ads. It was first discovered in late January 2025 during a website cleanup effort, and new variants of the malware have since been detected.
The plugin goes by several other names, such as “plugin.php,” “wpconsole.php,” “wp-performance-booster.php,” and “scr.php.” Once installed and activated, it provides attackers with administrator access to the WordPress dashboard. Additionally, it uses the REST API to inject malicious PHP code into the theme header or clear cache from popular cache plugins, facilitating remote code execution.
The malware’s latest variant shows notable changes in how it handles code injection. It now fetches JavaScript from another infected domain to deliver ads or spam. The plugin also includes a malicious “wp-cron.php” file, which, if deleted from the plugin directory, automatically recreates itself when the site is next visited, ensuring the malware’s persistence.
While the exact method of infection and distribution remains unclear, the presence of Russian-language comments and information strongly suggests that the attackers may be Russian-speaking. At the same time, Sucuri, a website security company, revealed an additional campaign using a fake font domain to display fake payment forms on checkout pages, stealing user input and sending it to the attackers’ servers.
Other reported attacks include the use of JavaScript malware targeting Magento e-commerce portals. This sophisticated malware collects sensitive information by manipulating website traffic through malicious reverse proxy servers. Researchers have also found Google AdSense code being injected into over 17 WordPress sites to serve unwanted ads and steal ad revenue.
In addition, deceptive CAPTCHA validation scripts were discovered, tricking users into downloading Node.js-based backdoor programs. These backdoors collect system information, allow remote access, and deploy a Node.js Remote Access Trojan (RAT) to route malicious traffic through SOCKS5 proxies.
This campaign is attributed to a traffic distribution system (TDS) called Kongtuke, which is known by several other names such as 404 TDS, Chaya_002, LandUpdate808, and TAG-124. The malware’s capabilities allow it to conduct detailed system reconnaissance, execute remote commands, and maintain persistent access to compromised systems.
Overall, this growing cyber threat highlights the need for website owners to remain vigilant against malicious plugins and other attack vectors.
Related Topics
- How Do You Put Your WordPress Site in Maintenance Mode?
- What Can WordPress Events Manager Do for Your Website?
- How Can I Add Pictures to My WordPress Website?
