WordPress Malware Masquerades as Anti-Malware Plugin

by | May 1, 2025 | News

Post Views: 174

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Security researchers at Wordfence have identified a sophisticated piece of malware targeting WordPress websites. Disguised as a legitimate anti-malware plugin, this threat uses file names like WP-antymalwary-bot.php to blend in, while silently granting attackers remote access and control over infected sites.

A Plugin Built for Deception and Control

This fake plugin doesn’t just sit quietly. It provides attackers with a suite of malicious capabilities:

Remote command execution via the WordPress REST API
Concealment from the admin dashboard using a hide_plugin_from_list() function
Unauthorized admin access using a GET parameter (emergency_login) to bypass normal authentication
Site control and ad injection, often loading unwanted JavaScript to serve rogue ads
Command-and-control (C&C) communication, pinging a remote server for instructions

The plugin even spreads to other directories and modifies theme headers to persist its activity.

wp-cron.php Modified for Persistence

One of the most dangerous features is the malware’s use of wp-cron.php, a core WordPress file. The malware modifies this file to ensure persistence, meaning that even if the plugin is deleted, the malicious code in wp-cron.php will reinstall it upon the next site visit.

This persistence mechanism ensures the malware stays active long after detection efforts, making cleanup far more difficult for site owners.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Latest Variants Evolve Ad Injection Techniques

In newer variants, the malware reports to a command-and-control server at 45.61.136.85. It has updated its ad injection behavior by pulling JavaScript from a remote ads.php file and embedding it into the site’s header. It also stores ad server URLs, preparing for future exploitation.

Infection Path: Likely via Compromised Credentials

Initial infection vectors appear to include:

Compromised hosting environments
Stolen FTP credentials
Direct exploitation via wp-cron.php

The malware has been found under multiple filenames, including addons.php and WP-antymalwary-bot.php.

Wordfence Response: Detection and Firewall Rules

Wordfence discovered this malware during a cleanup on January 22, 2025, and immediately released a malware signature to detect it. While variants have since emerged, Wordfence confirms their original detection methods remain effective.

To bolster protection:

Premium, Care, and Response users received a firewall rule on April 23, 2025
Free users will receive the rule on May 23, 2025

These rules help prevent execution of the malware even if it’s present on the site.

How Website Owners Can Stay Safe

To guard against threats like this, WordPress site administrators should:

Avoid installing unknown or unverified plugins
Regularly audit wp-cron.php and other core files for modifications
Use reputable security plugins with real-time threat intelligence
Enable two-factor authentication and secure FTP access
Perform regular backups and maintain timely updates

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: hackread.com

Source Link