Malicious WordPress Plugin Masquerades as Security Tool in New Malware Campaign

Listen to this Post

Featured Image

Introduction

A dangerous new malware campaign is targeting WordPress websites using a stealthy and deceptive method: a fake security plugin. Cybersecurity experts from Wordfence have uncovered this sophisticated threat, which tricks site administrators into installing a malicious plugin that grants attackers unauthorized access while remaining completely hidden from view. This campaign, first identified in January 2025, uses modified system files and persistent tactics to reinstate itself even after deletion, making it especially difficult to remove. As WordPress remains one of the most widely used content management systems globally, this new vector of attack raises serious concerns for website owners, developers, and security professionals.

Key Findings and Overview (Digest-style: )

  • A malware campaign has been found targeting WordPress websites with a plugin disguised as a legitimate security tool.
  • Discovered by Wordfence researchers during a routine site cleanup in January 2025.
  • Central to the campaign is a modified wp-cron.php file, which auto-generates and activates a malicious plugin named WP-antymalwary-bot.php.
  • Other variants include plugins like addons.php, wpconsole.php, wp-performance-booster.php, and scr.php.
  • The malware plugin remains invisible from the WordPress plugin dashboard to evade detection.
  • When deleted, the malware is reinstalled automatically upon the next site visit using the hijacked wp-cron.php script.
  • The method of infection is not fully known; it’s speculated that attackers exploited compromised hosting accounts or stolen FTP credentials.
  • The malware grants attackers persistent administrator access through a backdoor login mechanism.
  • Specifically, it uses an emergency_login_all_admins function tied to a GET parameter to access admin accounts.
  • Attackers can login by passing a correct plaintext password and hijack an admin session.
  • Additionally, a REST API route is registered by the malware for remote PHP injection.
  • This route allows arbitrary code execution, cache clearing, and manipulation of the header.php file in all active themes.
  • In more advanced variants, base64-encoded JavaScript is injected into the site’s <head> section.
  • This can result in adware delivery, user redirection to malicious sites, or data harvesting.
  • The malware campaign uses a command and control (C2) server reportedly located in Cyprus.
  • Researchers suspect links to a similar supply chain attack observed in June 2024.
  • Infection indicators include unusual entries in wp-cron.php and unexpected code in header.php.
  • Access logs may also show red flags like emergency_login, check_plugin, urlchange, and key.
  • The campaign is particularly dangerous due to its stealth, persistence, and ease of reinfection.
  • The fake plugin is not visible via standard WordPress admin panels.
  • Admin credentials are exploited in real-time, leaving site owners unaware.
  • JavaScript injection increases the risk of data breaches and SEO poisoning.
  • Lack of server logs makes it hard to trace the initial attack vector.

– Malware ensures admin-level access is continuously maintained.

  • It manipulates both backend functionality and front-end display.
  • Plugin cache clearing is part of its self-preservation mechanism.
  • This campaign raises new alarms about the growing complexity of WordPress-focused threats.
  • Website administrators are urged to conduct file integrity checks regularly.
  • Affected sites may experience reputation damage and SEO penalties.
  • Stronger file monitoring and admin access controls are now more critical than ever.

What Undercode Say: (Analytical Perspective – 40 Lines)

This new campaign represents a dangerous evolution in WordPress malware. It highlights how attackers are refining their methods by combining persistent infections with deception and invisibility. The fact that the plugin mimics a security tool is psychologically manipulative—leveraging users’ desire to protect their site as a vector to compromise it.

The reactivation mechanism through the wp-cron.php file is particularly sophisticated. Normally used for scheduling tasks in WordPress, hijacking this script allows attackers to ensure long-term control, even after supposed “removal” by a site owner. This technique also shows a deep understanding of WordPress internals and its automation lifecycle.

The malware’s ability to stay hidden from the plugin dashboard sets it apart from traditional threats. Standard security plugins often scan visible files and known plugin folders. However, this campaign cleverly bypasses those detection methods by embedding the plugin in unexpected paths and leveraging existing core files like wp-cron.php.

Perhaps more alarming is the REST API exploitation. Modern WordPress themes and plugins increasingly depend on REST APIs, and threat actors are now using these endpoints for malicious code injection. This is a shift from older malware that simply modified static HTML or PHP files.

The command to inject arbitrary PHP via a custom REST route, without any authentication, is catastrophic. It opens the door for attackers to modify content, insert crypto miners, or even use the compromised site as a launchpad for further attacks. And since these changes are executed at the theme level (header.php), they impact every visitor to the site.

Moreover, injecting base64-decoded JavaScript into the <head> of the site leads to dangerous outcomes such as phishing, clickjacking, or malware distribution. It can also be used to redirect high-value traffic to scam sites, costing legitimate businesses revenue and reputation.

The use of emergency_login_all_admins further illustrates the threat’s calculated nature. By exploiting the database to extract admin credentials and login silently, attackers essentially bypass all front-end security barriers, including two-factor authentication, if not server-side enforced.

What’s striking is the campaign’s resilience. Even if detected, removal is difficult without full knowledge of how the backdoor regenerates itself. The cleanup process must include identifying the altered wp-cron.php, restoring original core files, removing malicious plugin remnants, and resetting all admin credentials.

This also underlines the importance of version control and file comparison tools in managing a secure WordPress site. Malware like this thrives in environments where file changes go unnoticed.

Hosting companies also play a pivotal role. If the infection route indeed includes FTP compromise, then hosts need to enforce stronger access controls and better anomaly detection.

In conclusion, this campaign is a wake-up call: relying solely on traditional security measures is no longer enough. Proactive file integrity scanning, regular audits of user access, and better REST API restrictions must become standard practice for WordPress site owners in 2025 and beyond.

Fact Checker Results

  • The malware was independently confirmed by Wordfence during live investigations.
  • Infection indicators and plugin names match prior reports from similar campaigns.
  • The C2 infrastructure and behaviors align with known advanced persistent threat (APT) tactics.

Prediction

As WordPress continues to dominate the CMS market, attackers will escalate their tactics, focusing on plugins and automation scripts as primary attack vectors. We expect a rise in malware that exploits the REST API and self-replicating techniques through scheduled tasks like wp-cron.php. Future variants may include AI-driven behavior that dynamically adjusts code to evade new detection methods, making zero-trust architecture and behavior-based scanning indispensable in 2025 and beyond.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram