- Wordfence researchers discover new WordPress malware
- Threat actors used AI to create legitimate appearance tools
- Malware claims to be an anti-malware product
Security researchers have discovered WordPress malware pretending to be an anti-logicial solution. At the end of April, Marko Wotschka of the WordFence team published a new blog detailing an “interesting WordPress malware”: it appears in the normal WordPress plugin, often with the name “WP-Antymalwary-Bot.php”.
While looking discreet at first, the researchers discovered that this plugin contains several functions which allows attackers to persist on the target website, hide the plugin on the dashboard and execute the code remotely.
“Pinging features that can report to a control and control server (C&C) are also included, as is the code that helps spread malware in other directories and injecting malicious javascript responsible for disseminating ads,” said Wotschka.
Compromise accommodation accounts
WordFence discovered the malicious plugin when cleaning the January 2025 site when they discovered a modified “WP-CRON” PHP file.
It has programmed and activated the malware which has also proven to have used the names “Addons.php”, “WPCONSOLE.PHP”, “WP-Pormance- BOOSTER.PHP” and “SCR.PHP”.
If the website administrator deletes the plugin, WP-CRON recreates and reactivates it automatically.
WordFence could not determine who are the actors of the threat behind the attacks, nor how they managed to compromise these websites.
There was no newspaper to analyze, which is why the researchers hypothesized that the infection occurred via a compromise accommodation account or FTP identification information. They also managed to determine that the C2 server is located in Cyprus and that a similar attack was already seen in June 2024.
Another thing that makes this malicious software interesting – as WordFence says – is the apparent use of generative artificial intelligence (AI) in code writing.
It is not the use of AI in itself that is interesting, but rather the fact that AI helps actors threaten to create “more legitimate malware”.
Via Bleeping Compompute
