BACKGROUND
Researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.
The plugin, which goes by the name “WP-antymalwary-bot.php,” comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.
“Pinging functionality that can report back to a command-and-control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads,” Wordfence’s Marco Wotschka said in a report.
First discovered during a site cleanup effort in late January 2025, the malware has since been detected in the wild with new variants. Some of the other names used for the plugin are listed below –
addons.php
wpconsole.php
wp-performance-booster.php
scr.php
EXPLOIT
Once installed and activated, it provides threat actors administrator access to the dashboard and makes use of the REST API to facilitate remote code execution by injecting malicious PHP code into the site theme’s header file or clearing the caches of popular caching plugins.
A new iteration of the malware includes notable changes to the manner code injections are handled, fetching JavaScript code hosted on another compromised domain to serve ads or spam.
The plugin is also complemented by a malicious wp-cron.php file, which recreates and reactivates the malware automatically upon the next site visit should it be removed from the plugins directory.