Security researchers at Wordfence have identified a new, sophisticated malware strain masquerading as a legitimate WordPress security plugin, according to a report by Cybersecurity News.
Disguised under names such as WP-antymalwary-bot.php and wp-performance-booster.php, the malicious plugin provides attackers with covert, ongoing access to infected websites. Its functions include remote code execution, administrator privilege escalation, malicious JavaScript injection, and communication with a command-and-control server based in Cyprus. The malware transmits the compromised sites URL and timestamp every minute, allowing threat actors to maintain a real-time list of active infections. Initially discovered during a site cleanup on January 22, 2025, the malware was noted for mimicking the structure of legitimate plugins. It maintains persistence by altering the WordPress wp-cron.php file, which automatically reinstalls the malicious plugin if it is removed. It also avoids detection by hiding itself from the dashboard and includes an emergency login mechanism that uses a predefined password to hijack the first administrator account it identifies.
Disguised under names such as WP-antymalwary-bot.php and wp-performance-booster.php, the malicious plugin provides attackers with covert, ongoing access to infected websites. Its functions include remote code execution, administrator privilege escalation, malicious JavaScript injection, and communication with a command-and-control server based in Cyprus. The malware transmits the compromised sites URL and timestamp every minute, allowing threat actors to maintain a real-time list of active infections. Initially discovered during a site cleanup on January 22, 2025, the malware was noted for mimicking the structure of legitimate plugins. It maintains persistence by altering the WordPress wp-cron.php file, which automatically reinstalls the malicious plugin if it is removed. It also avoids detection by hiding itself from the dashboard and includes an emergency login mechanism that uses a predefined password to hijack the first administrator account it identifies.
