Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

A global ClickFix campaign is abusing compromised WordPress sites to push infostealer malware to visitors, putting credentials and financial data at risk. The operation has already reached over 250 websites in at least 12 countries, showing broad criminal reach. Fake verification pages and malicious commands are being used to trigger infection on trusted sites. The payloads are designed to steal logins, wallets, and other sensitive information.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

How related: ACSC recommends that organizations restrict PowerShell execution and implement application allow-listing to reduce the risk from these attacks.

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

Vercel v0.dev phishing campaign using GenAI-built lure pages

Campaign
First: 07.05.2026 11:30 Last: 07.05.2026 11:30 Sources 1

About this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...

Open Happening

Google sponsored search ManageWP phishing campaign

Campaign
First: 07.05.2026 00:36 Last: 07.05.2026 00:36 Sources 1

About this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...

Open Happening

Timeline

  1. 11.03.2026 16:45 3 articles · 2mo ago

    Rapid7 warns of a global WordPress ClickFix infostealer campaign

    Initial Disclosure

    Rapid7 warns that a global cyber-criminal campaign has compromised legitimate WordPress websites and is using fake Cloudflare Captcha pages and ClickFix social engineering to trick visitors into opening the Windows Run command box and pasting malicious commands that install infostealer malware. Observed payloads include Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut, and the operation has affected over 250 websites in at least 12 countries, including a US Senate candidate’s official webpage. The campaign has been active since December 2025.

    Show sources
    Open in new tab