The fake plugin, named WP-antymalwary-bot.php, is packed with dangerous capabilities, including:
- Hiding itself from the admin dashboard
- Executing remote PHP code via REST API
- Reporting back to a command-and-control (C2) server
- Injecting malicious JavaScript ads into site pages
- Spreading itself into other directories
"The malware includes pinging functionality and helps propagate malicious scripts," said Marco Wotschka of Wordfence.
Disguised Under Multiple Plugin Names
Originally discovered during a WordPress site cleanup in January 2025, the malware has since evolved. It uses various filenames to remain hidden, such as:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
Once activated, it grants admin access, injects malicious code into the theme’s header.php, and clears plugin caches to hide its tracks. It also uses a rogue wp-cron.php file to reinstall itself automatically if deleted.
Persistent Infections via wp-cron.php
This plugin ensures long-term compromise by regenerating itself during site visits through a malicious cron job. Russian-language comments in the code suggest the hackers may be Russian-speaking, although attribution remains uncertain.
Related Campaigns: Fake Checkout Forms & JavaScript Skimmers
Simultaneously, Sucuri has identified a web skimming campaign using italicfonts[.]org to inject fake payment forms, steal credit card data, and send it to attacker-controlled servers.
Another sophisticated attack on Magento stores used JavaScript malware to:
- Disguise itself as a fake GIF file
- Harvest sessionStorage data
- Intercept traffic using a malicious reverse proxy
"This malware acts like a backdoor to siphon sensitive user data," said security researcher Ben Martin.
Ad Injection: Stealing Your Revenue
Researchers have found malicious actors injecting Google AdSense code into at least 17 WordPress sites. Their goal: steal ad revenue by displaying unauthorized ads.
"If you're using AdSense, attackers could be diverting your earnings by inserting their own publisher code," warned Puja Srivastava.
Fake CAPTCHA Leads to Node.js-Based RATs
Fake CAPTCHA pages are also being used to trick users into installing Node.js-based remote access trojans (RATs). These trojans:
- Collect system data
- Execute remote commands
- Tunnel malicious traffic via SOCKS5 proxies
This attack is linked to a traffic distribution system (TDS) called Kongtuke (a.k.a. 404 TDS, LandUpdate808, TAG-124).
"The injected JS acts as a multifunctional backdoor with deep system access," said Reegun Jayapaul from Trustwave SpiderLabs.
How to Protect Your WordPress Site
Follow these steps to keep your WordPress site safe:
- Scan regularly for unknown plugins
- Disable file editing in
wp-config.php - Restrict REST API access where possible
- Audit
wp-cron.phpandheader.phpfiles - Install Web Application Firewalls (e.g., Wordfence, Sucuri)
- Keep all themes and plugins updated
Final Thoughts
This incident underscores the growing sophistication of attacks on WordPress and e-commerce platforms. From fake plugins and JavaScript skimmers to AdSense hijacking and Node.js RATs, attackers are evolving their tactics rapidly.
Stay vigilant. Secure your website. Monitor your logs. The best defense is proactive awareness.