Cybersecurity researchers have uncovered a new wave of attacks targeting WordPress websites. A fake plugin named “WP-antymalwary-bot.php” is at the center of the campaign, posing as a security tool while silently granting attackers full access to infected sites.
The malware hides from the WordPress dashboard, maintains persistent access, and allows for remote code execution. Researchers at Wordfence found the plugin during a cleanup operation in January 2025. Since then, the malware has evolved and surfaced in new forms.
Stealthy Plugin Installs Backdoor, Injects Ads, and Evades Detection
Once installed, the plugin gives threat actors administrator access. It exploits WordPress’s REST API to inject malicious PHP code into theme files, like the header.php. It also clears cache from major plugins to hide its tracks and ensure malicious code is executed cleanly.
In addition to WP-antymalwary-bot.php, attackers have used several aliases, including:
addons.phpwpconsole.phpwp-performance-booster.phpscr.php
These variants allow attackers to remotely execute code and control the infected site. A dangerous feature of the malware is its ability to report back to a command-and-control (C&C) server. This helps it stay updated and spread to other directories. Some versions also inject malicious JavaScript that serves unwanted ads to visitors.
In newer versions, the malware fetches JavaScript from compromised domains to deliver ads or spam more efficiently. This shows the attackers are actively improving their toolkit.
The infection doesn’t end with the plugin alone. A malicious wp-cron.php file is often included. This file automatically reinstalls the plugin if it’s deleted, ensuring the malware survives standard cleanup attempts.
The entry point for the infection remains unknown. However, clues like Russian-language comments suggest the attackers may be Russian-speaking.
Other Threats Target Magento Sites, WordPress Checkout Pages
This revelation comes amid other active campaigns against websites. Website security firm Sucuri reported a fake web skimmer that uses a spoofed domain italicfonts[.]org. It loads a fake payment form on e-commerce checkout pages to steal credit card data. The stolen data is then exfiltrated to an attacker-controlled server.
In a separate case, researchers uncovered a multi-stage carding attack on Magento sites. The attackers used JavaScript malware to steal login credentials, credit card info, cookies, and more.
According to researcher Ben Martin, the malware posed as a GIF image but actually acted as a reverse proxy in PHP. It captured website traffic, browser session data, and checkout form details. This helped the attackers bypass traditional security filters and steal sensitive user data.
Attackers also injected Google AdSense code into at least 17 WordPress sites to hijack ad revenue. By placing their own AdSense code, the attackers received earnings instead of the legitimate site owners.
“They’re abusing your site to serve their ads,” said researcher Puja Srivastava. “If you’re running AdSense yourself, you could be losing revenue without realizing it.”
Adding to the threat landscape, a deceptive CAPTCHA page has been found on compromised websites. It tricks users into downloading a Node.js-based backdoor. Once installed, this backdoor can perform system reconnaissance, grant remote access, and deploy a Node.js remote access trojan (RAT).
The group behind this attack is linked to Kongtuke, a known traffic distribution system (TDS). Also known by aliases like 404 TDS, LandUpdate808, and TAG-124, the TDS drops a multi-functional JS backdoor post-infection. It tunnels traffic through SOCKS5 proxies and maintains persistent access.
Researcher Reegun Jayapaul from Trustwave SpiderLabs warned that this type of malware is especially dangerous: “It performs deep system analysis, executes remote commands, and tunnels traffic—giving attackers full control of compromised systems.”
