- Wordfence researchers discover a new piece of WordPress malware
- Threat actors used AI to create legitimate -looking tools
- Malware aims to be an anti-malware product
Security researchers have discovered a piece of WordPress malware that pretends to be an antimalware solution. At the end of April, Marko Wotschka of the Wordfence team published a new blog post detailing an “WordPress” malware: it appears in the file system as a normal WordPress complement, often with the name ‘WP-AntyMalwary-Bot.php’.
While they seem discreet at the beginning, the researchers discovered that this complement contains several functions that allow the attackers to persist on the target website, hide the complement to the board and execute the code remotely.
“Ping functionality is also included -Ping that can inform a command and control server (C&C), as well as the code that helps disseminate malware to other directories and inject malicious JavaScript responsible for serving ads,” Wotschka explained.
Committed accommodation accounts
Wordfence first discovered the malicious complement during a cleaning of the January 2025 site, when they discovered a modified PHP file ‘WP-CRON ”.
He created and programmatically activated the malware that was also discovered that he had been using the names “Addons.php”, “WPCONSOLE.php”, “WP-Performance-Booster.php” and “SCR.php”.
If the website administrator eliminates the complement, WP-CRON recreates it and reactivates it automatically.
Wordfence could not determine who the threat actors are behind the attacks or how they managed to compromise these websites.
There were no records to analyze, so researchers speculated that the infection occurred through a compromised or credential accommodation account FTP. They also managed to determine that the C2 server is in Cyprus, and that a similar attack was already seen in June 2024.
Another thing that makes this malware interesting, as Wordfence said, is the apparent use of generative artificial intelligence (AI) in the writing of codes.
It is not the use of ai per se what is interesting, but the fact that AI helps the actors threat to create “more legitimate appearance malware”.
Through Bleepingcomputer
