CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

WordPress Sites Exploited for ClickFix Phishing Attacks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Timeline

  1. 08.10.2025 19:43 1 articles · 6d ago

    WordPress Sites Exploited for ClickFix Phishing Attacks

    WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TA585 Using MonsterV2 in Phishing Campaigns

TA585, a sophisticated threat actor, has been actively delivering the MonsterV2 malware via phishing campaigns since February 2025. The group manages its own infrastructure and employs multiple delivery techniques, including IRS and SBA-themed lures, malicious JavaScript injections, and fake CAPTCHA verifications. MonsterV2, also known as Aurotun Stealer, is a versatile malware capable of stealing sensitive data, acting as a clipper, establishing remote control, and executing commands from a C2 server. The malware is sold by a Russian-speaking actor and is typically packed using a C++ crypter called SonicCrypt to evade detection. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.

Open in new tab