Malware Disguised as WordPress Security Plugin Targets Site Admins

Cybersecurity researchers have uncovered a new malicious campaign targeting WordPress websites by disguising malware as a legitimate security plugin. This threat enables attackers to hijack websites, maintain persistence, and inject malicious ads, all while staying hidden from administrators.

Discovery of the Threat

First identified in January 2025 during a routine site cleanup, the fake plugin was found operating under several deceptive names, including:

• WP-antymalwary-bot.php

• addons.php

• wpconsole.php

• wp-performance-booster.php

• scr.php

Once activated, the plugin gives attackers full administrative access and allows them to execute remote code.

Key Capabilities of the Malware

According to Wordfence researcher Marco Wotschka, this fake plugin is equipped with a variety of dangerous capabilities:

• Command-and-Control (C2): Communicates with a remote server to receive further instructions and payloads.

• Remote Code Execution: Uses the WordPress REST API to inject PHP code into theme files like header.php.

• Persistence: Drops a malicious wp-cron.php file that reinstalls the malware if it’s deleted.

• Ad Injection: Injects JavaScript to serve unauthorized ads, often hosted on other compromised domains.

• Stealth: Hides itself from the WordPress admin dashboard.

These tactics make it difficult for site owners to detect the infection, even as their site is being exploited.

Evidence of Russian Involvement

While attribution remains speculative, the presence of Russian-language comments within the code suggests that Russian-speaking threat actors may be behind the campaign.

Broader Threat Landscape

This campaign is part of a wider trend involving increasingly sophisticated malware targeting CMS platforms:

Web Skimmers on Checkout Pages

• Fake domain: italicfonts[.]org used to steal customer data.

• Target: Online stores during the checkout process.

Advanced Carding on Magento

• JavaScript-based malware captures:

  • Credit card numbers

  • Login credentials

  • Cookies and session data

• Delivered via fake GIF files acting as reverse proxies.

Google AdSense Hijacking

• At least 17 WordPress sites had their AdSense IDs replaced by attackers.

• This allows criminals to siphon off ad revenue from legitimate publishers.

Deceptive CAPTCHA and Node.js Backdoors

• Users are tricked into downloading Node.js-based remote access trojans (RATs).

• These backdoors can:

  • Tunnel traffic through SOCKS5 proxies

  • Collect system information

  • Enable persistent remote access

This particular campaign has been linked to the Kongtuke traffic distribution system (TDS)—also known as 404 TDS, Chaya_002, and TAG-124.

How to Protect Your WordPress Site

To defend against this and similar attacks, WordPress site administrators should:

• Audit Plugins Frequently: Remove unused or unfamiliar plugins.

• Monitor File Changes: Use security plugins that alert you to unauthorized modifications.

• Secure REST API Access: Limit and monitor API interactions.

• Inspect Cron Jobs: Review wp-cron.php and server crontabs for hidden tasks.

• Apply Regular Updates: Keep WordPress core, themes, and plugins up to date.

Final Thoughts

This campaign underscores the evolving nature of WordPress-targeted malware. By appearing as helpful tools, attackers trick site owners into handing over full control. With fake plugins, persistent cron jobs, and ad-injection tactics, these threats require constant vigilance and proactive security measures.

If your website runs on WordPress, now is the time to audit your environment and ensure strong defenses are in place.