We recently had a client that had a persistent malware infection on their shared hosting environment that would re-infect the files quickly after we had cleaned them. The persistence was being created by a cron that was scheduled to download malware from a third party domain.
Persistent Malware Infection on WordPress and Joomla Websites
This persistent website malware infection made us remember a blog post we posted back in 2014. As it turns out, the malware operated almost identically — and in this more recent case, it was infecting a WordPress website.
Source: Scuri check