A malware strain, dubbed wp-vcd, hides in legitimate WordPress files and provides threat actors with administrative rights and control over the infected site. This new version of a similar campaign that began earlier this year injects malicious code inside the legitimate files of Twenty Fifteen and Twenty Sixteen, which are default themes included with WordPress 2015 and 2016. These themes are still installed on many sites and, even if they have been disabled, threat actors can use files within the themes to hide malicious code and create a new admin user named100010010. This account allows the actors to open a connection to infected sites and use them to conduct attacks against other targets. The NJCCIC recommends users and administrators of WordPress websites review the Sucuri report, use a web application firewall (WAF) to identify and prevent modifications of core WordPress files, and always keep WordPress and any installed plugins up-to-date.