Plugin Attack: Cybercriminals Use a Phishing Security Tool to Take Over WordPress Websites
Plugin Attack: Cybercriminals Use a Phishing Security Tool to Take Over WordPress Websites
A recently identified malware operation is using malicious code masquerading as a security plugin to compromise WordPress websites. Falsely claiming to provide protection, the fraudulent plugin “WP-antymalwary-bot.php” really provides a comprehensive set of backdoor capabilities that let threat actors maintain access, evade detection, and remotely run code using the WordPress REST API.
Marco Wotschka, a Wordfence researcher, reported that the malware was initially discovered in January 2025 while performing a standard site cleanup. Since then, a number of novel variations have been spotted in the wild, using aliases like:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
Once activated, the plugin allows hackers to control caching plugins, insert malicious PHP code into theme header files, and get administrator-level access. In order to remain persistent, it uses a malicious wp-cron.php file that, if removed, reinstalls the virus automatically, allowing reactivation on a later site visit.
Notably, more recent iterations of the malware also insert spam or JavaScript advertisements from other hijacked domains, indicating click fraud or malvertising as a means of generating revenue.
Skimmers and Advanced Carding Attacks Affect E-Commerce Portals as Well
The campaign of fake plugins is a part of a larger increase in online risks, as hackers are also utilizing sophisticated card skimmers to target Magento e-commerce sites. Sucuri, a security firm, described a different effort in which a bogus font site called italicfonts[.]org shows fraudulent payment forms on checkout pages, collecting private consumer information such as login credentials and credit card numbers.
Another variation used a phony GIF file that served as a reverse proxy, gathering information from users of the website by using sessionStorage, stealing browser cookies, and intercepting traffic. Despite its seemingly innocuous appearance, the GIF is actually a PHP script disguised to evade detection.
With malicious JavaScript inserted into checkout processes to covertly syphon data and exfiltrate it to external servers under the attackers’ control, these assaults have developed into multi-stage carding operations.
Ad Injection and RAT Campaigns Expand the Threat Surface
Trustwave SpiderLabs researchers discovered attempts to insert Google AdSense code into at least 17 WordPress websites, which is another concerning development. The goal is to use Google’s infrastructure to display their own adverts in order to steal money by hijacking ad impressions. Puja Srivastava, a researcher claims that this action would jeopardize the attempts of lawful site owners to make money.
Furthermore, it has been discovered that misleading CAPTCHA prompts on hacked websites feed Node.js-based backdoors, which in turn release remote access trojans (RATs). These backdoors can do the following:
- System reconnaissance
- Remote command execution
- Tunneling traffic through SOCKS5 proxies
A Traffic Distribution System (TDS) called Kongtuke (also known as 404 TDS, Chaya_002, TAG-124, and LandUpdate808) has been linked to this behavior. Attackers can obtain continuous, secret access to compromised computers after the RAT is operational, increasing the possibility of network breaches.
The Wider View: Cybersecurity Professionals Encourage Vigilance and Preemptive Protection
The use of Russian in code comments suggests potential ties to Russian-speaking threat actors, even though the attackers’ identities have not been verified. These dangers’ interconnectedness, which ranges from sophisticated carding on Magento to WordPress plugins, demonstrates how contemporary cybercrime operations combine social engineering and technological complexity.
WordPress site developers and owners are advised by experts to:
- Avoid installing untrusted plugins.
- Observe cron jobs and server logs.
- Employ firewalls for web applications (WAFs).
- Check themes and headers for code injection on a regular basis.
- Put in place multi-layered cybersecurity measures.
The digital landscape necessitates constant and attentive protection as attackers continue to combine money fraud, information theft, and malware propagation.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More Here:
10 Lakh+ CyberAttacks in India after Pahalgam Tragedy are recorded in Maharashtra Cyber Records
About Author
English