A deceptive WordPress plugin posing as a security tool is giving hackers full remote access to targeted sites, cybersecurity researchers warn. Disguised as a legitimate plugin, the malware—known under names like WP-antymalwary-bot.php—allows attackers to take control of a WordPress admin dashboard, execute remote code, and silently inject malicious scripts across the website.
The plugin isn’t just a backdoor. It hides itself from the admin panel, pings command-and-control (C&C) servers, and even spreads malware by injecting JavaScript into theme files and caching systems. According to Wordfence researcher Marco Wotschka, it also helps deliver spammy ads through infected pages, using injected JavaScript hosted on other compromised domains.
Fake Plugin Variants and Persistent Access
First spotted in January 2025 during a website cleanup, the malware has already evolved with multiple versions now seen in the wild. Other file names that serve the same malicious purpose include:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
Once activated, these fake plugins grant admin-level access and exploit WordPress REST APIs to inject PHP code—typically in theme headers—making it hard to detect. Even if the plugin is deleted, a corrupted wp-cron.php script ensures it returns on the next site visit, restoring full functionality without any manual action by the hacker.
Ads, Skimmers, and Stolen Revenue
Researchers also discovered attackers injecting their own Google AdSense code into at least 17 WordPress websites. The aim is to hijack ad placements and redirect the earnings. In some cases, site owners unknowingly lose revenue while their traffic is monetized by cybercriminals.
“If you’re using AdSense, you could be losing revenue without realizing it,” said Puja Srivastava, a security analyst. “They’re simply replacing your code with theirs.”
In a more dangerous twist, deceptive CAPTCHA prompts are being used to trick visitors into installing malware disguised as verification tools. These scripts deploy Node.js-based backdoors capable of remote access, system spying, and creating SOCKS5 proxies to mask the origin of malicious traffic.
This campaign has been linked to a traffic distribution system (TDS) named Kongtuke—also known as 404 TDS, Chaya_002, and TAG-124. The Node.js malware dropped post-infection is a powerful backdoor that can run commands, tunnel traffic, and perform in-depth reconnaissance, according to Trustwave SpiderLabs.
More Skimming Threats Target E-Commerce Platforms
Beyond WordPress, a separate wave of web skimming attacks is hitting Magento e-commerce sites. Cybercriminals are using fake font domains like italicfonts[.]org to deploy payment form overlays that mimic legitimate checkout pages. These forms steal credit card data and send it back to attacker-controlled servers.
One advanced version of the malware even uses disguised GIF image files that are actually PHP scripts acting as reverse proxies. These capture sensitive user data—credit card info, cookies, logins—by intercepting site traffic.
The Bigger Threat to Website Owners
This series of coordinated attacks reveals a concerning trend: threat actors are blending fake plugins, ad injections, phishing CAPTCHAs, and data exfiltration tools into seamless campaigns that drain revenue, steal data, and compromise user trust. The common theme is stealth—these tools are built to operate in the background, often remaining undetected until major damage is done.
While the identities behind these campaigns are still unknown, the presence of Russian-language code hints at Eastern European origins. Regardless of who’s responsible, the impact is global—and growing.
