The recent revelation by the researchers of a website security firm, Sucuri, concerning the malicious plugins has shocked the crypto domain to the core. As per the research, the attackers employ the malicious plugins to facilitate a sneak peek into the WordPress websites for fulfilling their nefarious objectives and also to indulge in crypto mining.\r\n\r\nAs per the reports, some of the fraudulent plugins equipped with backdoor features and given names like \u2018initiatorseo\u2019 or \u2018updrat123\u2019 by their curators were observed seen counterfeiting the internal functional pedagogy of the compromised backup WordPress plugin UpdraftPlus. The plugin is quite popular in the market space, with over two million installations in the current time.\r\n\r\nThe researchers at Sucuri resolved that "The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019." These plugins are created easily by the creators with the help of ready-to-use automated resources or by adding corrupted payloads like web shells into the source code of the original versions.\r\n\r\nOne of the prominent features of such malevolent plugins is that they remain hidden to the users when they work on the affected website\u2019s WordPress dashboard. These plugins are designed in a manner that they remain out of sight of the users.\r\nBy default, the plugin hides itself in the WordPress dashboard from anyone who doesn\u2019t use browsers with specific User-Agent strings. These strings vary from plugin to plugin,\r\nrevealed the research.\r\n\r\nThese plugins work as intruders that attack the WordPress websites allowing the attackers full access to the servers even after the removal of the authentic infected vector. The plugin will signal the attackers if they send a GET request using attributes such as \u2018initiationactivity\u2019 or \u2018testingkey.\u2019 With the help of POST requests, the intruders infuse infected files into the infected websites\u2019 server.\r\n\r\nThe attackers drop web shells, which are compromised scripts that help in providing them access to the server. Such scripts have been injected into the sites\u2019 root directories. This fosters the attackers to conduct brute-force attacks against other websites.\r\n\r\n"While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of infection is not enough,\u201d said the researchers. They added that "Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.\u201d\r\n\r\nThe researchers concluded by saying that\r\nAdditionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or crypto mining.