Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
A global ClickFix campaign is abusing compromised WordPress sites to push infostealer malware to visitors, putting credentials and financial data at risk. The operation has already reached over 250 websites in at least 12 countries, showing broad criminal reach. Fake verification pages and malicious commands are being used to trigger infection on trusted sites. The payloads are designed to steal logins, wallets, and other sensitive information.
Related Happenings
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
Campaign
H score36
First: 08.07.2026 15:52
Last: 08.07.2026 15:52
Sources 1
About this happening:
The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
CampaignAbout this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
SocGholish malware downloader hijacking WordPress sites
Malware Activity
H score57
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
**SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
SocGholish malware downloader hijacking WordPress sites
Malware ActivityAbout this happening: **SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
PushEngage hit by cyberattack
Incident
H score93
First: 15.06.2026 12:59
Last: 15.06.2026 12:59
Sources 1
About this happening:
**Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...
PushEngage hit by cyberattack
IncidentAbout this happening: **Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...
Latest development: 15.06.2026 20:37
Awesome Motive remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key, after attackers exploited a known UpdraftPlus flaw to steal CDN account credentials from a server in its environment and modify JavaScript served from the company's CDN. The company says its application servers, source code, and systems storing OptinMonster and TrustPulse account information were hosted separately and were not breached.
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Timeline
-
11.03.2026 16:45 3 articles · 4mo ago
Rapid7 warns of a global WordPress ClickFix infostealer campaign
Initial DisclosureRapid7 warns that a global cyber-criminal campaign has compromised legitimate WordPress websites and is using fake Cloudflare Captcha pages and ClickFix social engineering to trick visitors into opening the Windows Run command box and pasting malicious commands that install infostealer malware. Observed payloads include Vidar Stealer, Impure Stealer, Vodka Stealer, and Double Donut, and the operation has affected over 250 websites in at least 12 countries, including a US Senate candidate’s official webpage. The campaign has been active since December 2025.
Show sources
- Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign — www.infosecurity-magazine.com — 11.03.2026 16:45
- Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign — www.infosecurity-magazine.com — 11.03.2026 16:45
- Australia warns of ClickFix attacks pushing Vidar Stealer malware — www.bleepingcomputer.com — 07.05.2026 21:00