Attacks began earlier this month after WordPress theme developer did not release a patch for a trivial bug.
Article Link: https://www.zdnet.com/article/hackers-are-creating-backdoor-accounts-and-cookie-files-on-wordpress-sites-running-onetone/#ftag=RSSbaffb68