Find notable cyber news and cases, enriched with sources, timelines, and signals.

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

A global ClickFix campaign is abusing compromised WordPress sites to push infostealer malware to visitors, putting credentials and financial data at risk. The operation has already reached over 250 websites in at least 12 countries, showing broad criminal reach. Fake verification pages and malicious commands are being used to trigger infection on trusted sites. The payloads are designed to steal logins, wallets, and other sensitive information.

Related Happenings

REF6045 ClickFix banking fraud campaign targeting Mexican financial users

Campaign
H score36 First: 08.07.2026 15:52 Last: 08.07.2026 15:52 Sources 1

About this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...

SocGholish malware downloader hijacking WordPress sites

Malware Activity
H score57 First: 18.06.2026 16:25 Last: 18.06.2026 16:25 Sources 1

About this happening: **SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

PushEngage hit by cyberattack

Incident
H score93 First: 15.06.2026 12:59 Last: 15.06.2026 12:59 Sources 1

About this happening: **Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...

Latest development: 15.06.2026 20:37

Awesome Motive remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key, after attackers exploited a known UpdraftPlus flaw to steal CDN account credentials from a server in its environment and modify JavaScript served from the company's CDN. The company says its application servers, source code, and systems storing OptinMonster and TrustPulse account information were hosted separately and were not breached.

WeedHack YouTube and SEO poisoning campaign targeting Minecraft players

Campaign
H score73 First: 03.06.2026 00:54 Last: 03.06.2026 00:54 Sources 1

About this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...

Timeline

  1. 11.03.2026 16:45 3 articles · 4mo ago

    Rapid7 warns of a global WordPress ClickFix infostealer campaign

    Initial Disclosure

    Rapid7 warns that a global cyber-criminal campaign has compromised legitimate WordPress websites and is using fake Cloudflare Captcha pages and ClickFix social engineering to trick visitors into opening the Windows Run command box and pasting malicious commands that install infostealer malware. Observed payloads include Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut, and the operation has affected over 250 websites in at least 12 countries, including a US Senate candidate’s official webpage. The campaign has been active since December 2025.

    Show sources