A newly discovered malware campaign is compromising WordPress websites by disguising malicious code as a security plugin. The fraudulent plugin, “WP-antymalwary-bot.php,” pretends to offer protection but instead delivers a full suite of backdoor tools, allowing threat actors to retain access, hide from detection, and remotely execute code via the WordPress REST API.
According to a report by Wordfence researcher Marco Wotschka, the malware was first uncovered in January 2025 during a routine site cleanup. Since then, several new variants have been observed in the wild, operating under aliases such as:
-
addons.php
-
wpconsole.php
-
wp-performance-booster.php
-
scr.php
Once activated, the plugin grants hackers administrator-level access, manipulates caching plugins, and injects malicious PHP code into theme header files. To maintain persistence, it deploys a rogue wp-cron.php file that automatically reinstalls the malware if deleted, enabling reactivation during a subsequent site visit.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Notably, newer versions of the malware also inject JavaScript ads or spam sourced from other compromised domains, suggesting monetization via click fraud or malvertising.
Advanced Carding Attacks and Skimmers Also Plague E-Commerce Portals
The fake plugin campaign forms part of a broader surge in web-based threats, with attackers also targeting Magento e-commerce sites using advanced card skimmers. Security firm Sucuri detailed a separate campaign in which a fake font resource, italicfonts[.]org, displays fraudulent payment forms on checkout pages, harvesting sensitive customer data including credit card details and login credentials.
Another variant involved a fake GIF file that functioned as a reverse proxy, collecting data from website visitors by leveraging sessionStorage, intercepting traffic, and stealing browser cookies. The GIF, though appearing harmless, is actually a PHP script cloaked to bypass detection.
These attacks have evolved into multi-stage carding operations, with malicious JavaScript embedded into checkout flows to discreetly siphon information and exfiltrate it to external servers controlled by attackers.
Ad Injection and RAT Campaigns Expand the Threat Surface
In another alarming development, researchers from Trustwave SpiderLabs uncovered attempts to inject Google AdSense code into at least 17 WordPress websites. The objective: to hijack ad impressions and steal revenue by displaying their own ads using Google’s infrastructure. According to researcher Puja Srivastava, this move could undermine monetization efforts for legitimate site owners.
Additionally, deceptive CAPTCHA prompts on compromised websites have been found to serve Node.js-based backdoors, ultimately deploying remote access trojans (RATs). These backdoors are capable of:
-
System reconnaissance
-
Remote command execution
-
Tunneling traffic through SOCKS5 proxies
This activity has been traced to a Traffic Distribution System (TDS) dubbed Kongtuke (also known as 404 TDS, Chaya_002, TAG-124, and LandUpdate808). Once the RAT is active, attackers gain persistent, covert access to infected machines, further expanding the breach potential across networks.
The Bigger Picture: Cybersecurity Experts Urge Caution and Proactive Defense
While the identities of the attackers remain unconfirmed, the presence of Russian language within code comments points to possible links with Russian-speaking threat actors. The interconnected nature of these threats — spanning from WordPress plugins to advanced carding on Magento — illustrates how modern cybercrime operations blend technical sophistication with social engineering.
Experts advise WordPress site owners and developers to:
-
Avoid installing unverified plugins
-
Monitor server logs and cron jobs
-
Use Web Application Firewalls (WAFs)
-
Regularly scan themes and headers for code injection
-
Implement multi-layered cybersecurity protocols
As attackers continue to blend malware distribution, financial fraud, and information theft, the digital landscape demands vigilant and continuous defense.