Have a specific reoccuring hack

I believe I have some malicious script that specifically keeps changing user credentials. This type of hack starts with one account and then changes all the others to the same email. (I’m starting to think it usually happens with theme edits) Is this a familiar trend where I can look up some specific code or file to spot this? I’ve done extensive cleaning in the past. It’s gotten much better, it’s slow to completely take over now and only requires a password change early in it’s stage to restore my site.