Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
May 01, 2025
Malware / Web Skimming
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads," Wordfence's Marco Wotschka said in a report. First discovered during a site cleanup effort in late January 2025, the malware has since been detected in the wild with new variants. Some of the other names used for the plugin are listed below - addons.php wpconsole.php wp-performance-booster.php scr.php Once installed and activated, it provides threat actors administrator access to the dashboard and makes use of the REST API...