A new malware campaign targeting WordPress sites appoints users to establish it and rely on it.
According to Wordfense researchers, malware provides frequent access to attackers, distance code execution and JavaScript injections. At the same time, this plugin is hidden from the dashboard.
Wordfense first discovered malware during a site cleanup at the end of January 2025, where it found a modified ‘WP-Cron.php’ file, which activates and activates a malicious plugin called ‘WP-EANTYMALWARY-BOT.Php’.
Other plugin names used in the campaign include:
- Addon.php
- wpconsole.php
- WP-Performance-Buster.FAP
- scr.php
If the plugin is removed, the WP-Cron.php re-creates and automatically activates it on the next site visit.
Reducing server log To identify the exact infection chain, the wordfense envisages the infection. The infection occurs through a compromised hosting account or FTP credentials.
Not much is known about criminals, although researchers stated that Command and Control (C2) is located in the server Cyprus, and the June 2024 supply chain is similar to the same symptoms.
Once the server is active on the server, the plugin checks a self-state and then the attacker gives access to the administrator.
“Plugin Emergency_Login_l_Admins provides immediate administrator access to danger actors through function,” Wordfhens tells its rightup,
“This function uses Emergency_Login Gate Parameter to allow the attackers to get the arrival of the administrator to the dashboard.”
“If the correct cleartext password is provided, the function receives all the user records from the function database, first chooses one, and logs the attacker as that user.”
Subsequently, the plugin registers an informal custom rest API route that allows the insertion of arbitrary PHP code in all active theme headers. PHP files, plugin cash clearing, and other commands are processed through a post parameter.
An updated version of malware can also injected the base 64-decoded JavaScript in the site
Sections, visitors are likely to advertise, spam, or to redirect them to unsafe sites.
In addition to file-based indicators such as listed plugins, the website owners should check their ‘WP-Cron.php’ and ‘Header.fap’ files for unexpected additions or modifications.
Access log with “Emergency_Login,” Check_Plugin, “URLache,” and ‘Key “should also work as a red flag, while warrant of further investigation.
