Cybersecurity researchers spilled light on a new company aimed at WordPress that mask malicious software as a safety plugin.
The plugin, which goes under the name “wp-tsymalwary-bot.php” comes with different features to maintain access, hide from the administrator’s dashboard and the remote code.
“Also included is the functionality of the jacket that can report the command and control (C&C) server, as well as the code that helps distribute malicious software into other catalogs and introduces malicious JavaScript, which is responsible for advertising service,” Marco Wotchka Wordfence, Marco Wotchka WordFence ” – Note In the report.
For the first time, it was discovered during the site cleaning efforts in late January 2025, malicious software has since been discovered in the wild with new options. Some other names used for plugin are below –
- addonons.php
- wpconsole.php
- WP-PERFORMANCE-BOOSER.php
- scr.php
After installing and activating, it provides access to the administrators of the threat to the dashboard and uses API REST to facilitate the remote code, introducing a malicious PHP code into the site title file or cleansing of popular cache plugins.
The new malicious software iteration includes noticeable changes in the ways processed by the code injections, which receives the JavaScript code, is located in another compromised domain for advertising or spam service.
The plugin is also supplemented by a malicious WP-clon.php file, which recovers and automatically reactivate the malicious software when you visit the site when it is removed from the plugin directory.
It is currently unclear how sites are broken to deliver malicious software or who is behind the company. However, the presence of comments and reports of the Russian language is probably indicating that the threats are Russian.
Discovering information occurs as succus minute Web Skimmer, which uses a fake font domain called “Italicfonts (.) Org” to display a fake payment form on the registration pages, theft of the information entered and withstands the data to the attacker’s server.
Another “advanced, multi -stage card attack”, considered by the site safety company, provides orientation to the Magento e -commerce portals with malicious JavaScript software designed to collect a wide range of sensitive information.
“This malicious software has used a fake GIF image file, data of the Sessionstorage Local browser and fakes with the site of the malicious proxy server to facilitate the theft of credit card data, login details, cookies and other sensitive data from the compromised site, Ben Martin, Ben Martin Ben Martin, Ben Martin – Note.
The GIF file, in reality, is a PHP scenario that acts as a return proxy, fixing incoming requests and using it to collect the necessary information when the site visitor landing on the order page.
The suggestions also noted that introducing the Google AdSense code at least 17 WordPress sites in different places to provide unwanted ads and earnings either on enecu or based.
“They try to use the resources of your site to continue to serve advertising, and even worse, they can steal income from your advertising when you use Adse – Note. “Google AdSense’s own injection, they pay for you.”
That’s not all. It has been found that deceptive CAPTCHA checks provided on the impaired sites are fooled by the users in the download and execution of the back of the node.js, which collect system information, provide deleted access and deploy deleted Trojan (Rat) Node.js, which is intended for tunnel malice.
Activities have been attributed to Trustwave Spiderlabs with traffic distribution system (TDS) called King (AKA 404 TDS, Chaya_002, Landupdate808 and Tag-124).
“The JS script that was dumped after infection, developed as a multifunctional back capable of detailed system intelligence by performing remote commands, tunnel network traffic (proxy-prox5 Socks5) and maintaining hidden, permanent access,” security researcher Reegun ” – Note.
