Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

Posted on May 1, 2025May 12, 2025 By CWS

Might 01, 2025Ravie LakshmananMalware / Internet Skimming
Cybersecurity researchers have make clear a brand new marketing campaign concentrating on WordPress websites that disguises the malware as a safety plugin.
The plugin, which works by the identify “WP-antymalwary-bot.php,” comes with a wide range of options to take care of entry, conceal itself from the admin dashboard, and execute distant code.
“Pinging performance that may report again to a command-and-control (C&C) server can be included, as is code that helps unfold malware into different directories and inject malicious JavaScript chargeable for serving adverts,” Wordfence’s Marco Wotschka stated in a report.
First found throughout a website cleanup effort in late January 2025, the malware has since been detected within the wild with new variants. Among the different names used for the plugin are listed under –

addons.php
wpconsole.php
wp-performance-booster.php
scr.php

As soon as put in and activated, it supplies menace actors administrator entry to the dashboard and makes use of the REST API to facilitate distant code execution by injecting malicious PHP code into the positioning theme’s header file or clearing the caches of standard caching plugins.

A brand new iteration of the malware consists of notable adjustments to the style code injections are dealt with, fetching JavaScript code hosted on one other compromised area to serve adverts or spam.
The plugin can be complemented by a malicious wp-cron.php file, which recreates and reactivates the malware routinely upon the following website go to ought to it’s faraway from the plugins listing.
It is at present not clear how the websites are breached to ship the malware or who’s behind the marketing campaign. Nevertheless, the presence of Russian language feedback and messages possible signifies that the menace actors are Russian-speaking.
The disclosure comes as Sucuri detailed an online skimmer marketing campaign that makes use of a pretend fonts area named “italicfonts[.]org” to show a pretend cost kind on checkout pages, steal entered info, and exfiltrate the information to the attacker’s server.
One other “superior, multi-stage carding assault” examined by the web site safety firm includes concentrating on Magento e-commerce portals with JavaScript malware designed to reap a variety of delicate info.

“This malware leveraged a pretend GIF picture file, native browser sessionStorage information, and tampered with the web site site visitors utilizing a malicious reverse proxy server to facilitate the theft of bank card information, login particulars, cookies, and different delicate information from the compromised web site,” safety researcher Ben Martin stated.

The GIF file, in actuality, is a PHP script that acts as a reverse proxy by capturing incoming requests and utilizing it to gather the required info when a website customer lands on the checkout web page.
Adversaries have additionally been noticed injecting Google AdSense code into a minimum of 17 WordPress websites in numerous locations with the aim of delivering undesirable adverts and producing income on both a per-click or per-impression foundation.
“They’re attempting to make use of your website’s assets to proceed serving adverts, and worse, they might be stealing your advert income in the event you’re utilizing AdSense your self,” safety researcher Puja Srivastava stated. “By injecting their very own Google AdSense code, they receives a commission as an alternative of you.”

That is not all. Misleading CAPTCHA verifications served on compromised web sites have been discovered to trick customers into downloading and executing Node.js-based backdoors that collect system info, grant distant entry, and deploy a Node.js distant entry trojan (RAT), which is designed to tunnel malicious site visitors by means of SOCKS5 proxies.
The exercise has been attributed by Trustwave SpiderLabs to a site visitors distribution system (TDS) known as Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124).
“The JS script which, was dropped in post-infection, is designed as a multi-functional backdoor able to detailed system reconnaissance, executing distant instructions, tunneling community site visitors (SOCKS5 proxy), and sustaining covert, persistent entry,” safety researcher Reegun Jayapaul stated.

Discovered this text attention-grabbing? Observe us on Twitter  and LinkedIn to learn extra unique content material we submit.

The Hacker News Tags:Access, Admin, Attackers, Enables, Fake, Plugin, Remote, Security, WordPress

Post navigation

Previous Post: Why top SOC teams are shifting to Network Detection and Response
Next Post: Microsoft Sets Passkeys Default for New Accounts; 15 Billion Users Gain Passwordless Support

Related Posts

The Hidden Weaknesses in AI SOC Tools that No One Talks About The Hacker News
New U.S. Visa Rule Requires Applicants to Set Social Media Account Privacy to Public The Hacker News
New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft The Hacker News
Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims The Hacker News
Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials The Hacker News
Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • New Hpingbot Abusing Pastebin for Payload Delivery and Hping3 Tool to Launch DDoS Attacks
  • Azure API Vulnerabilities Leak VPN Keys and Built-In Roles Allow Over-Privileged Access
  • How to Identify and Avoid Tech Support Scams
  • Threat Actors Widely Abuse .COM TLD to Host Credential Phishing Website
  • Citrix Warns Authentication Failures Following The Update of NetScaler to Fix Auth Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • New Hpingbot Abusing Pastebin for Payload Delivery and Hping3 Tool to Launch DDoS Attacks
  • Azure API Vulnerabilities Leak VPN Keys and Built-In Roles Allow Over-Privileged Access
  • How to Identify and Avoid Tech Support Scams
  • Threat Actors Widely Abuse .COM TLD to Host Credential Phishing Website
  • Citrix Warns Authentication Failures Following The Update of NetScaler to Fix Auth Vulnerability

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News