A newly discovered malware variant, camouflaged as a seemingly legitimate WordPress anti-malware plugin, has been granting threat actors full administrative control over targeted websites, according to a detailed analysis by the Wordfence Threat Intelligence team.
Identified under names such as “WP-antymalwary-bot.php,” this malware leverages advanced tactics to ensure persistence, evade detection, and provide attackers with continuous remote access and code execution capabilities.
Technical Anatomy of the Attack
First detected on January 22, 2025, during a routine incident response, the malicious plugin at first glance appears innocuous, complete with conventional headers and documentation.
However, embedded within its code are multiple functions designed specifically to maintain unauthorized access and conceal the plugin from WordPress admin dashboards.
Notably, it introduces a “check_special_link” function accessible via GET parameters, allowing adversaries to verify if the plugin is live and active-a method easily detectable in server access logs.
Crucially, the plugin implements an “emergency_login_all_admins” function, which enables attackers to directly log in as the first available administrator by providing a hardcoded cleartext password through a GET request.
This approach exposes not just the vulnerability but also leaves clear trails in HTTP access logs, potentially aiding in post-compromise forensics.
The malware further distinguishes itself by exploiting the WordPress REST API. It registers a custom REST route lacking any form of authentication or authorization enforcement.
Through this endpoint, attackers can issue arbitrary commands such as clearing caches of popular plugins or inserting malicious PHP code at the very start of all theme header files via the “insert_code_in_header_files” function.
This injection is potent and versatile, capable of delivering anything from spam content to redirection scripts or more insidious payloads.
To guarantee persistence, the plugin actively hides itself from the standard plugin listings and is buttressed by an altered “wp-cron.php” core file.
The infected cron file can stealthily reinstall the plugin if it is removed, automatically restoring the attacker’s backdoor upon the next visit to the site.
Evolution and Command & Control Infrastructure
Recent observations reveal that this malware family is rapidly evolving. A variant analyzed by Wordfence’s security analysts incorporates scheduled tasks that communicate with a Command & Control (C&C) server based in Cyprus.
On activation, the plugin schedules a pinging process that transmits the compromised site’s URL and a timestamp every minute to the remote server at IP address 45.61.136.85:5555, maintaining a real-time ledger of infected sites at the attacker’s disposal.
Additionally, the malware can fetch and inject obfuscated JavaScript advertisements into targeted sites.
It retrieves base64-encoded URLs from an external resource, decodes them, and appends malicious scripts into the theme’s header-thus monetizing the campaign and expanding its reach.
This injection technique is further reinforced by options to dynamically update script URLs via simple GET parameters, though full retrieval functionality appears to be under ongoing development.
Indicators of compromise include uniquely named malicious plugin files, persistent modifications to “wp-cron.php,” unauthorized entries in theme “header.php” files, and repeated requests to the specified C&C server.
According to Wordfence Report, the vector for the initial infection remains under investigation, though evidence points to compromised hosting or stolen FTP credentials.
This campaign stands out for its sophisticated blend of evasion, persistence, and administrative takeover, traits increasingly attributed to malware developed with AI assistance.
Wordfence rapidly responded by deploying detection signatures for premium users within days of discovery, with free users receiving updates after a standard 30-day delay.
A firewall rule to block file execution was also pushed to premium customers, with broader coverage scheduled for May 23, 2025.
The incident underscores the escalating technical complexity of threats facing WordPress site operators, with attackers now deploying malware that mimics legitimate plugins while delivering near-complete control to remote adversaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
