ClickFix Campaign Hijacks WordPress Sites to Deliver Infostealers via Fake Cloudflare CAPTCHA
Threat actors covertly compromised 250+ legitimate WordPress websites—including small businesses, regional media outlets, and at least one U.S. Senate candidate campaign site—and used them as distribution points for an infostealer operation. Rapid7 reported that attackers injected malicious code into the compromised sites to display a convincing fake Cloudflare CAPTCHA page that instructs visitors to copy and execute a command on their own machines, leveraging the ClickFix social-engineering technique to initiate malware delivery.
Once executed, the malicious command leads to installation of credential-stealing malware capable of exfiltrating browser-stored credentials, authentication cookies, and cryptocurrency wallet data, with stolen “logs” potentially monetized on cybercrime forums. Reporting indicates the campaign has been active since December and shows signs of high automation across unrelated WordPress instances; Rapid7 also noted attacker-controlled domains used in the operation were registered around July–August, and the firm said it notified U.S. authorities to support investigation and remediation.
Sources
Related Stories
ClickFix Social-Engineering Campaigns Using Compromised WordPress Sites and DNS-Based Staging
Threat actors are scaling **ClickFix**-style “self-infection” attacks that abuse compromised legitimate websites to trick users into manually executing malicious PowerShell via the Windows Run dialog or a terminal. Reporting describes the **KongTuke** campaign evolving its tradecraft by retrieving next-stage instructions from **DNS TXT records** rather than over HTTP, reducing visibility for controls focused on web traffic and blending activity into normal DNS resolution. The objective is follow-on malware deployment and persistence, including installation of remote-access tooling such as the **Interlock RAT**. Separately, researchers described a large **watering-hole** operation dubbed **IClickFix** that poisoned **3,800+ WordPress sites** with a fake *Cloudflare Turnstile CAPTCHA* prompt that instructs visitors to copy/paste and run a “fix” command. Once executed, the staged PowerShell pulls commodity payloads including **NetSupport RAT**, **Emmenhtal Loader**, and **XFiles Stealer**, and uses tracking/targeting logic (e.g., an `ic-tracker-js` HTML tag) to manage victim flow. In contrast, a different WordPress compromise technique called **“directory shadowing”** was reported as an SEO-spam operation that creates physical folders matching WordPress permalinks and serves gambling content selectively to crawlers (via User-Agent checks), which is not part of the ClickFix execution chain.
1 months ago
ClickFix Social-Engineering Lures Deliver Multi-Stage Windows Malware via Browser Extensions and Compromised WordPress Sites
Threat researchers reported continued evolution and operationalization of **ClickFix**-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed **CrashFix**, attributed to **KongTuke**, which uses a **malicious browser extension** to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a **PowerShell** command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution. Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate **WordPress** sites to inject a ClickFix implant that impersonates a **Cloudflare human verification (CAPTCHA)** challenge. The operation has affected **250+** infected sites across **12+ countries** and delivers a **multi-stage, mostly in-memory** malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing **credentials and digital wallets** from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.
1 weeks ago
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
3 weeks ago