A stealthy malware campaign has been discovered targeting WordPress websites to deliver a Windows-based RAT through a PHP backdoor. The infection chain involves a malicious ZIP archive containing the trojan executable.

A campaign targeting WordPress websites involves attackers brute-forcing wp-admin credentials to deploy spam posts and pages for blackhat SEO purposes. The attackers use two malicious plugins to conceal their activity and maintain persistent access.

A malicious WordPress plugin named php-ini.php was discovered that conditionally created a malicious admin user on infected websites. The plugin mimicked the legitimate wpforms plugin but only included a single file.

A new malicious WordPress plugin named wordpress-player.php has been discovered, designed to covertly redirect site visitors to suspicious domains. At least 26 websites have been confirmed as infected, indicating a growing campaign.

A malicious WordPress plugin named wp-runtime-cache has been discovered masquerading as a caching plugin to steal admin credentials. The plugin is hidden from the admin panel and lacks author and URL metadata.

A malicious WordPress plugin disguised as "Yoast SEO" was found injecting a fake "Java Update" pop-up to trick users into downloading malware. The plugin injects JavaScript into the of pages, avoiding macOS, mobile, and Safari users.

A fake Google Meet page was discovered, designed to trick users into running a malicious PowerShell command under the guise of fixing a "Microphone Permission Denied" error.

A new malware campaign is targeting WordPress sites by impersonating a Cloudflare verification page. This multistage infection uses social engineering and obfuscated PowerShell commands to deliver a malicious Windows executable

The attackers used multiple stealthy methods to evade detection: naming the plugin an innocent-sounding name, and hiding it in the WordPress plugins directory versus a core file to avoid being found by integrity checks.

The WordPress malware injection attempts to trick unsuspecting victims into executing malicious Powershell commands within Windows OS environments to infect their computers with backdoors.