WordPress website owners are being targeted by a new malware campaign that disguises itself as a legitimate security plugin. This fake plugin, named “WP-antymalwary-bot.php,” grants hackers full control of infected websites and hides itself from view—making it extremely difficult to detect and remove.
What the Fake Plugin Does
Cybersecurity researchers report that the plugin includes several malicious features:
Admin dashboard access for attackers
Remote code execution using WordPress REST API
Malware spreading across site directories
Injection of malicious JavaScript to display ads
Communication with a C&C server to stay updated
Auto-reinstallation through a malicious
wp-cron.phpfile
Once activated, it modifies core theme files—often the header.php—to maintain control. It also clears cache from popular WordPress caching plugins to make sure changes take effect immediately.
Discovery and Variants
The malware was first discovered in January 2025 during a routine website cleanup. Since then, security teams have found it in multiple variants, using different filenames like:
addons.phpwpconsole.phpwp-performance-booster.phpscr.php
These names may seem harmless, which increases the chances of them being ignored or even trusted by site admins.
Evolving Tactics
A newer version of the malware does not store the malicious JavaScript directly in the plugin. Instead, it fetches the code from a separate compromised domain, making it harder to trace. This allows attackers to update the payload remotely and use infected websites to serve spam or ads.
Another troubling addition is a malicious wp-cron.php file that ensures the malware reinstalls itself if deleted. This persistent backdoor activates on the next site visit, making standard cleanup efforts ineffective.
Who Is Behind the Attack?
While the source of the campaign remains unknown, researchers have found Russian language code comments, suggesting that the attackers may be Russian-speaking threat actors. No specific group has been officially linked to the attack.
Other Active Web Threats in 2025
This isn’t the only threat WordPress and e-commerce site owners are facing this year.
1. Fake Font Domains Stealing Payment Data
Security experts from Sucuri discovered attackers using a fake font domain, italicfonts[.]org, to inject fake checkout pages on online stores. Unsuspecting customers enter payment data, which is then sent directly to attacker-controlled servers.
2. Advanced Skimming on Magento Stores
Magento platforms are also under fire from a multi-stage JavaScript skimmer that:
Mimics a GIF image file
Collects credit card data and login credentials
Uses a reverse proxy server to intercept web traffic
Harvests browser cookies and session data
3. AdSense Code Injection on WordPress Sites
Hackers are injecting Google AdSense code into legitimate websites to serve unwanted ads and steal ad revenue. At least 17 WordPress sites have been affected so far.
“They’re using your resources to generate revenue for themselves,” warns researcher Puja Srivastava. “If you’re using AdSense, they could be replacing your code with theirs.”
4. Fake CAPTCHAs Install Remote Access Malware
Trustwave SpiderLabs also uncovered a campaign that tricks users with fake CAPTCHA verifications. When clicked, the CAPTCHAs install a Node.js-based backdoor capable of:
Gathering system information
Tunneling traffic through SOCKS5 proxies
Maintaining long-term access via a TDS system called Kongtuke (also known as 404 TDS or TAG-124)
How to Protect Your WordPress Website
Given the rise in attacks, WordPress site owners must take proactive steps:
Use trusted plugins only from the official WordPress repository
Scan your website regularly for unknown files and suspicious activity
Remove unused plugins and themes
Install firewalls like Wordfence or Sucuri
Disable or monitor
wp-cron.phpfor unauthorized actionsUpdate WordPress core, themes, and plugins regularly
Watch for unfamiliar JavaScript or PHP code in theme files
Conclusion
The rise of fake security plugins like WP-antymalwary-bot.php shows how creative and persistent attackers have become. What looks like a harmless performance booster can actually open the door to remote admin access, JavaScript injection, and even ad revenue theft.
As cybercriminals expand their techniques with malware-disguised plugins, fake CAPTCHAs, and reverse proxy exploits, it’s crucial to secure your WordPress site with the right tools and best practices.
If you manage a website—especially one that handles sensitive user data—regular security audits are no longer optional. They’re a necessity.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Proton Mail Banned in India After AI Powered Deepfake Email Scandal
Pingback: SonicWall SMA Flaws Under Active Attack: Patch Now, Warns CISA