New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that masquerades as a legitimate plugin, often named ‘WP-antymalwary-bot.php.’

First detected on January 22, 2025, during a routine site cleanup, this malware exhibits advanced capabilities, enabling attackers to seize complete control over infected websites.

With features like remote code execution, hidden persistence mechanisms, and communication with a Command & Control (C&C) server, this threat poses a significant risk to WordPress site owners.

Premium Wordfence users received a malware signature to detect this threat on January 27, 2025, while free users gained access on February 26, 2025.

A firewall rule was later deployed to premium users on April 23, 2025, with free users scheduled to receive it on May 23, 2025.

Technical Breakdown of the Malware’s Functionality

This malware presents itself as a benign plugin with convincing headers and code formatting, evading casual detection.

It employs multiple malicious functions, including an ’emergency_login’ feature that allows attackers to gain administrator access via a simple GET parameter, effectively bypassing standard authentication.

Additionally, it integrates a REST API endpoint for remote code execution, enabling threat actors to inject malicious PHP code into theme header files or clear caches of popular plugins without any authorization checks.

According to the Report, The malware also hides itself from the WordPress dashboard’s plugin list, making it nearly invisible to site administrators.

Persistence is maintained through a compromised ‘wp-cron.php’ file, which reinstates the malware if removed, triggered by mere site visits.

In its evolved form, spotted just days before this report, the malware schedules events to ping a C&C server in Cyprus at 45.61.136.85 every minute, reporting site details and facilitating attacker control.

It also fetches malicious JavaScript from external sources for ad-serving purposes, injecting it into site headers with sophisticated obfuscation techniques using base64 encoding.

The infection likely originates from compromised hosting accounts or FTP credentials, starting with modifications to ‘wp-cron.php’ before spreading to plugins under deceptive names like ‘addons.php’ or ‘wp-performance-booster.php.’

Indicators of compromise include requests to the C&C server, presence of ’emergency_login’ in access logs with successful responses, and tampered theme files.

This malware bears similarities to AI-generated threats seen in past supply chain attacks reported by Wordfence in June 2024, suggesting adversaries may be leveraging automation to craft more convincing malicious code.

As WordPress remains a prime target for cybercriminals, site owners are urged to deploy robust security solutions like Wordfence CLI for server-level scanning and to monitor logs for suspicious activity.

With over 4.3 million malicious samples in Wordfence’s Threat Intelligence database, their tools detect over 99% of known threats, offering critical defense-in-depth protection against such insidious malware.

Immediate action, including updating security measures and reviewing site integrity, is paramount to safeguard against this evolving digital menace.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!