Threat actors covertly compromised 250+ legitimate WordPress websites—including small businesses, regional media outlets, and at least one U.S. Senate candidate campaign site—and used them as distribution points for an infostealer operation. Rapid7 reported that attackers injected malicious code into the compromised sites to display a convincing fake Cloudflare CAPTCHA page that instructs visitors to copy and execute a command on their own machines, leveraging the ClickFix social-engineering technique to initiate malware delivery.
Once executed, the malicious command leads to installation of credential-stealing malware capable of exfiltrating browser-stored credentials, authentication cookies, and cryptocurrency wallet data, with stolen “logs” potentially monetized on cybercrime forums. Reporting indicates the campaign has been active since December and shows signs of high automation across unrelated WordPress instances; Rapid7 also noted attacker-controlled domains used in the operation were registered around July–August, and the firm said it notified U.S. authorities to support investigation and remediation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
After investigating the widespread compromises, Rapid7 said it notified US authorities about the operation targeting visitors of legitimate WordPress websites with infostealer malware.
Rapid7 reported a large-scale operation affecting more than 250 WordPress websites across at least 12 countries, including media outlets, small businesses, and a US Senate candidate's campaign site. The firm assessed the activity as a highly automated, organized criminal campaign using the ClickFix social-engineering technique.
By at least December 2025, threat actors were actively compromising legitimate WordPress sites and injecting code that displayed fake Cloudflare CAPTCHA pages to trick visitors into running malicious commands that installed infostealers.
Domains later used in the WordPress infostealer campaign were registered between July and August 2025, indicating preparatory infrastructure was set up months before the activity was publicly reported.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
ccb.belgium.be
Open sourcescworld.com
Open sourcego.theregister.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.