Cybersecurity researchers have identified a new malware campaign that targets WordPress sites by masquerading as a security plugin, allowing threat actors to maintain access and execute remote code. This campaign employs various malicious file names and has shown adaptability in its methods of code injection and persistence. While the exact breach process remains unclear, indications of Russian-speaking actors have emerged in association with this attack.
Keypoints :
- A malware campaign targets WordPress sites using a fake security plugin named “WP-antymalwary-bot.php” to gain administrator access.
- The malware includes features for remote code execution and the ability to inject malicious JavaScript for ad serving.
- Other variants of the malware are known by names such as addons.php, wpconsole.php, and wp-performance-booster.php, among others.
- A malicious wp-cron.php file ensures that the malware reactivates if removed from the plugins directory.
- Russian language comments in the malware code suggest a Russian-speaking threat actor behind the campaign.
- Sucuri reports on related attacks include a fake payment form in a web skimmer campaign targeting sensitive user data.
- Threat actors have injected Google AdSense code into various WordPress sites to generate illicit ad revenue.
- Deceptive CAPTCHA verifications have been employed to trick users into downloading Node.js-based backdoors for system exploitation.
Read More: https://thehackernews.com/2025/05/fake-security-plugin-on-wordpress.html