CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

ShadowCaptcha Campaign Exploits WordPress Sites to Deliver Malware

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

Timeline

  1. 15.09.2025 23:12 πŸ“° 1 articles Β· ⏱ 1d ago

    Scattered Lapsus$ Hunters Claim Access to Law Enforcement Systems

    The "Scattered Lapsus$ Hunters" group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system. The group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been behind widespread data theft attacks targeting Salesforce data and other high-profile companies. They initially used social engineering to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances and breached Salesloft's GitHub repository to find authentication tokens for further attacks. The group has targeted numerous companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, and Palo Alto Networks. Google Threat Intelligence (Mandiant) has been actively tracking and disclosing the activities of the "Scattered Lapsus$ Hunters" group. The group has taunted the FBI, Google, Mandiant, and security researchers in various Telegram channels and has claimed to be going dark, although cybersecurity researchers believe they will continue attacks quietly.

    Show sources
    Open in new tab
  2. 26.08.2025 13:45 πŸ“° 1 articles Β· ⏱ 22d ago

    ShadowCaptcha Campaign Exploits WordPress Sites to Deliver Malware

    A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing-as-a-Service Infrastructure Disrupted

Microsoft and Cloudflare disrupted the RaccoonO365 phishing-as-a-service (PhaaS) network, seizing 338 domains used by the threat group Storm-2246. The operation targeted over 5,000 Microsoft 365 credentials from 94 countries since July 2024. The group, led by Joshua Ogundipe, used Cloudflare services to protect phishing pages, making detection more challenging. The disruption began on September 2, 2025, and involved banning domains, placing warning pages, and terminating associated scripts. The group targeted over 2,300 organizations in the U.S., including healthcare entities, and offered AI-powered services to enhance phishing attacks. The stolen credentials, cookies, and other data were used in financial fraud attempts, extortion attacks, or as initial access to other victims' systems. RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

FinWise Bank insider breach impacts 689K American First Finance customers

FinWise Bank experienced a data breach on May 31, 2024, when a former employee accessed sensitive files after their employment ended. The breach affected 689,000 customers of American First Finance (AFF), a company that offers consumer financing products. The compromised data included full names and other personal information. FinWise has strengthened internal controls and is offering free credit monitoring services to affected individuals. The incident is facing multiple class-action lawsuits. The breach was discovered and investigated with the help of outside cybersecurity professionals. The exact methods used by the former employee to access the data remain undisclosed.

Open in new tab