- Wordfence researchers uncover a new piece of WordPress malware
- Threat actors used AI to create legitimate-looking tools
- The malware pretends to be an anti-malware product
Security researchers have discovered a piece of WordPress malware pretending to be an antimalware solution. In late April, Marko Wotschka from the Wordfence team published a new blog post detailing an “interesting WordPress malware”: it appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’.
While looking inconspicuous at first, the researchers discovered that this plugin contains several functions that allows attackers to persist on the target website, hide the plugin from the dashboard, and remotely execute code.
“Pinging functionality that can report back to a Command & Control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads,” Wotschka explained.
Compromised hosting accounts
Wordfence first discovered the malicious plugin during a January 2025 site cleanup, when they discovered a modified ‘wp-cron” php file.
It created and programmatically activated the malware which was also found to have been using the names “addons.php”, “wpconsole.php”, “wp-performance-booster.php”, and “scr.php”.
If the website admin deletes the plugin, wp-cron recreates and reactivates it automatically.
Wordfence couldn’t determine who the threat actors behind the attacks are, or how they managed to compromise these websites.
There were no logs to analyze, which is why the researchers speculated that the infection happened either via a compromised hosting account, or FTP credentials. They also managed to determine that the C2 server is located in Cyprus, and that a similar attack was already seen back in June 2024.
Another thing that makes this malware interesting – as Wordfence put it – is the apparent use of Generative Artificial Intelligence (AI) in code writing.
It’s not the use of AI per se that’s interesting, but rather the fact that AI helps threat actors create “more legitimate appearing malware”.
Via BleepingComputer
Leave a comment