CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

ShadowCaptcha Campaign Exploits WordPress Sites to Distribute Malware

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale cybercrime campaign, dubbed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to distribute information stealers, ransomware, and cryptocurrency miners. The campaign uses fake CAPTCHA pages and social engineering tactics to trick users into downloading and executing malicious payloads. The attacks began in August 2025, targeting users in various sectors and geographies, including Australia, Brazil, Italy, Canada, Colombia, and Israel. The campaign employs a multi-stage payload delivery method, leveraging living-off-the-land binaries (LOLBins) and anti-debugger techniques to maintain persistence and evade detection. The primary objectives include credential harvesting, cryptocurrency mining, and ransomware deployment. The compromised WordPress sites are believed to have been accessed through known plugin exploits and compromised credentials.

Timeline

  1. 26.08.2025 13:45 1 articles · 1mo ago

    ShadowCaptcha Campaign Exploits WordPress Sites to Distribute Malware

    In August 2025, a large-scale cybercrime campaign, dubbed ShadowCaptcha, began exploiting over 100 compromised WordPress sites to distribute information stealers, ransomware, and cryptocurrency miners. The campaign uses fake CAPTCHA pages and social engineering tactics to trick users into downloading and executing malicious payloads. The attacks target users in various sectors and geographies, including Australia, Brazil, Italy, Canada, Colombia, and Israel. The campaign employs a multi-stage payload delivery method, leveraging living-off-the-land binaries (LOLBins) and anti-debugger techniques to maintain persistence and evade detection. The primary objectives include credential harvesting, cryptocurrency mining, and ransomware deployment. The compromised WordPress sites are believed to have been accessed through known plugin exploits and compromised credentials.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Open in new tab

SlopAds Fraud Ring Exploits 224 Android Apps for Ad Fraud

A sophisticated ad fraud operation, SlopAds, exploited 224 Android apps to generate 2.3 billion daily ad bids. The apps, downloaded 38 million times across 228 countries, used steganography and hidden WebViews to create fraudulent ad impressions and clicks. The fraud was conditional, activating only if the app was installed via an ad click. Google removed the offending apps from the Play Store and updated Google Play Protect to warn users. The operation leveraged AI-themed services and a complex command-and-control infrastructure. The fraudulent behavior was designed to evade detection by blending malicious traffic into legitimate campaign data. The SlopAds campaign was discovered by HUMAN's Satori Threat Intelligence team, which identified the apps as 'AI slop' due to their mass-produced appearance and AI-themed services. The apps used Firebase Remote Config to download an encrypted configuration file containing URLs for the ad fraud malware module, cashout servers, and a JavaScript payload. The campaign included numerous command-and-control servers and more than 300 related promotional domains, suggesting the threat actors planned further expansion.

Open in new tab

APT41 targets U.S. trade officials with phishing campaigns amid negotiations

APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.

Open in new tab

Misconfigured Docker APIs Exploited in TOR-Based Cryptojacking Campaign

A new variant of a TOR-based cryptojacking campaign targets exposed Docker APIs. The attack involves executing a new container based on the Alpine Docker image and mounting the host file system. The attackers then run a Base64-encoded payload to download a shell script downloader from a .onion domain. The script installs tools for reconnaissance and communication with a command-and-control (C2) server. The campaign may aim to establish a complex botnet. The attack chain includes exploiting additional ports (23, 9222) and using known default credentials for brute-forcing logins. The malware scans for open Docker API services at port 2375 and propagates the infection to those machines. The attackers block external access to port 2375 using available firewall utilities and install persistent SSH access. The malware includes dormant logic for future expansion opportunities for credential theft, browser session hijacking, remote file download, and distributed denial-of-service (DDoS) attacks. The campaign highlights the importance of securing Docker APIs and limiting exposure of services to the internet.

Open in new tab