By USA Goldmines 
- Wordfence researchers uncover a new piece of WordPress malware
- Threat actors used AI to create legitimate-looking tools
- The malware pretends to be an anti-malware product
Security researchers have discovered a piece of WordPress malware pretending to be an antimalware solution. In late April, Marko Wotschka from the Wordfence team published a new blog post detailing an “interesting WordPress malware”: it appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’.
While looking inconspicuous at first, the researchers discovered that this plugin contains several functions that allows attackers to persist on the target website, hide the plugin from the dashboard, and remotely execute code.
“Pinging functionality that can report back to a Command & Control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads,” Wotschka explained.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
Compromised hosting accounts
Wordfence first discovered the malicious plugin during a January 2025 site cleanup, when they discovered a modified ‘wp-cron” php file.
It created and programmatically activated the malware which was also found to have been using the names “addons.php”, “wpconsole.php”, “wp-performance-booster.php”, and “scr.php”.
If the website admin deletes the plugin, wp-cron recreates and reactivates it automatically.
Wordfence couldn’t determine who the threat actors behind the attacks are, or how they managed to compromise these websites.
There were no logs to analyze, which is why the researchers speculated that the infection happened either via a compromised hosting account, or FTP credentials. They also managed to determine that the C2 server is located in Cyprus, and that a similar attack was already seen back in June 2024.
Another thing that makes this malware interesting – as Wordfence put it – is the apparent use of Generative Artificial Intelligence (AI) in code writing.
It’s not the use of AI per se that’s interesting, but rather the fact that AI helps threat actors create “more legitimate appearing malware”.
Via BleepingComputer
You might also like
- US government warns this popular CMS software has a worrying security flaw
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.