A brand new malware marketing campaign concentrating on WordPress websites employs a malicious plugin disguised as a safety instrument to trick customers into putting in and trusting it.
According to Wordfence researchers, the malware gives attackers with persistent entry, distant code execution, and JavaScript injection. At the identical time, it stays hidden from the plugin dashboard to evade detection.
Wordfence first found the malware throughout a website cleanup in late January 2025, the place it discovered a modified ‘wp-cron.php’ file, which creates and programmatically prompts a malicious plugin named ‘WP-antymalwary-bot.php.’
Other plugin names used within the marketing campaign embrace:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
If the plugin is deleted, wp-cron.php re-creates and reactivates it routinely on the subsequent website go to.
Lacking server logs to assist establish the precise an infection chain, Wordfence hypothesizes the an infection happens by way of a compromised internet hosting account or FTP credentials.
Not a lot is understood concerning the perpetrators, although the researchers famous that the command and management (C2) server is positioned in Cyprus, and there are traits just like a June 2024 provide chain assault.
Once energetic on the server, the plugin performs a self-status verify after which offers the attacker administrator entry.
“The plugin gives quick administrator entry to risk actors by way of the emergency_login_all_admins operate,” explains Wordfence in its writeup.
“This operate makes use of the emergency_login GET parameter in an effort to enable attackers to acquire administrator entry to the dashboard.”
“If the proper cleartext password is supplied, the operate fetches all administrator person information from the database, picks the primary one, and logs the attacker in as that person.”
Next, the plugin registers an unauthenticated customized REST API route that permits the insertion of arbitrary PHP code into all energetic theme header.php information, clearing of plugin caches, and different instructions processed by way of a POST parameter.
An up to date model of the malware can even inject base64-decoded JavaScript into the location’s
part, doubtless for serving guests advertisements, spam, or redirecting them to unsafe websites.
Apart from file-based indicators just like the listed plugins, web site homeowners ought to scrutinize their ‘wp-cron.php’ and ‘header.php’ information for surprising additions or modifications.
Access logs containing ’emergency_login,’ ‘check_plugin,’ ‘urlchange,’ and ‘key’ also needs to function pink flags, warranting additional investigation.