Cybersecurity researchers have recently uncovered a new campaign aimed at WordPress sites, wherein malware masquerades as a security plugin, specifically named "WP-antymalwary-bot.php." This malicious plugin boasts features designed to provide ongoing access, conceal itself from site administrators, and execute remote code.

Marco Wotschka from Wordfence reported that this plugin includes functions for communicating with a command-and-control server and contains code that enables the spreading of malware to other directories, as well as injecting malicious JavaScript for the purpose of serving ads. Since its initial discovery during a site cleanup in late January 2025, it has been found active with various variants circulating online under multiple names, including addons.php, wpconsole.php, and wp-performance-booster.php.

Upon installation and activation, the plugin grants hackers full administrator access to the dashboard and utilizes REST API to facilitate remote code execution by embedding harmful PHP code into the theme’s header file or purging caches of popular caching plugins.

In a concerning evolution of this malware, the latest versions implement advanced methods for conducting code injections, such as retrieving JavaScript from compromised external domains to deliver ads or spam. Additionally, it is accompanied by a harmful wp-cron.php file that can recreate and reactivate the malware upon the next site visit if it has been removed.

At present, the specific methods used to breach these sites remain unclear, as do the identities of the attackers. However, the presence of comments and messages in the Russian language suggests that the perpetrators may be Russian-speaking individuals.

This disclosure has occurred alongside reports from Sucuri, which highlighted a separate web skimming campaign utilizing a counterfeit fonts domain called "italicfonts.org" to trick users into entering their payment information on checkout pages. Another report detailed a multi-stage attack targeting Magento e-commerce platforms, where attackers injected JavaScript malware designed to exfiltrate sensitive data like credit card details and login credentials.

Adding further complexity to the threat landscape, malicious actors have been seen embedding Google AdSense code into at least 17 WordPress sites with the intent to hijack ad revenue. These attackers exploit the site’s resources to serve their ads and potentially profit from any ad revenue that the site owner would typically earn.

Moreover, deceptive CAPTCHA verifications on compromised websites have led users to inadvertently download and execute Node.js-based backdoors. These backdoors collect system information, enable remote access, and deploy a Node.js remote access Trojan (RAT) that tunnels malicious traffic through SOCKS5 proxies.

Trustwave SpiderLabs attributed this activity to a traffic distribution system (TDS) known as Kongtuke, referring to it by various aliases. The dropped JavaScript is capable of multi-functional backdoor operations, including detailed system reconnaissance and executing remote commands, thus ensuring continued covert access to compromised systems.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.