It has been observed that a new, massive campaign uses over 100 compromised WordPress sites to direct site visitors to fake Captcha verification pages that provide information steelers, ransomware, and cryptocurrency miners using ClickFix social engineering tactics.
The large-scale cybercrime campaign, first detected in August 2025, is known as Shadowcaptcha by the National Digital Agency of Israel.
“campaign […] We blend social engineering, living off binaries (lolbins), and multi-stage payload distribution to gain and maintain scaffolding for your target system.”
“The ultimate goal of ShadowCaptcha is to collect sensitive information through credential harvesting and browser data removal, deploying cryptocurrency miners to generate illegal profits and even triggering ransomware outbreaks.”
The attack starts with an unsuspecting user visiting a compromised WordPress website injected with malicious JavaScript code responsible for starting a redirect chain that takes you to a fake CloudFlare or Google Captcha page.
From there, the attack chain will be two depending on the ClickFix command that appears on the web page. One uses the Windows Run dialog, and the other guides the victim to save the page as an HTML application (HTA) and runs it using MSHTA.EXE.
The execution flow triggered through the Windows Run dialog culminates in Lumma and Rhadamanthys Stealers deployments via MSI installer launching using MSIEXEC.EXE or remote host HTA files running using MSHTA.EXE.
It’s worth pointing out that it was documented last month by CloudSek by tricking users with Clickfix lures and downloading malicious HTA files to spread Epsilon Red ransomware.
“A compromised Clickfix page automatically runs obfuscated JavaScript using “navigator.clipboard.writeText” to copy malicious commands to the user’s clipboard without interacting, relying on the user to paste and run,” the researchers said.
Attacks are characterized by the use of anti-bugger technology to prevent web pages from being inspected using browser developer tools, but also relies on DLL sideloading to execute malicious code under the guise of a legitimate process.
Shadowcaptcha’s selection campaign observed delivering XMRIG-based cryptocurrency miners. Some variants take the mining configuration from the Paspevin URL rather than hardcoding with malware, allowing you to adjust the parameters on the fly.
If a minor payload is deployed, the attacker will interact with the CPU registers with the aim of dropping vulnerable drivers (“winring0x64.sys”) to provide kernel-level access and improving mining efficiency.
Of the infected WordPress sites, the majority of them are located in Australia, Brazil, Italy, Canada, Colombia and Israel, spanning the technology, hospitality, legal/financial, healthcare and real estate sectors.
To mitigate the risk poses of ShadowCaptcha, it is essential to be aware of ClickFix campaigns, train your WordPress site to prevent lateral movement using segment networks, keep your WordPress site up to date, and use Multifactor Authentication (MFA) protection to protect your WordPress site.
“Shadowcaptcha shows how social engineering attacks evolved into full-spectrum cyber manipulation,” the researchers said. “By running the built-in Windows tools for users and tricking them into layering obfuscated scripts and vulnerable drivers, operators gain stealth persistence and can pivot between data theft, crypto mining, or ransomware.”
This disclosure details the evolution of Help TDS, a traffic distribution (or direction) system that GoDaddy has been active since 2017 and linked to malicious schemes like Vextrio Viper. HELP TDS provides partners and affiliates with PHP code templates injected into WordPress sites, and ultimately directed to users towards malicious destinations based on targeting criteria.
“This operation specializes in technical support fraud that utilizes exit prevention technology to capture victims on fraudulent Microsoft Windows security alert pages using full-screen browser operations and exit prevention technology.
Notable malware campaigns leveraging TDS help in recent years include Dollyway, Balada Injector and DNS TXT redirects. Scam pages use JavaScript to force browsers to full screen mode, display malicious alerts, and have the challenge of fake Captcha before rendering them to avoid automated security scanners.
It is said that the TDS operator developed a malicious WordPress plugin between late 2024 and August 2025, known as “woocommerce_inputs”, enabling redirection functionality, and steadily adding credential harvesting, geographic filtering, and advanced evasion techniques. The plugin is estimated to be installed on more than 10,000 sites around the world.
Malicious plugins will impersonate WooCommerce to avoid detection by site owners. It is only installed by an attacker after breaching a WordPress site via stolen administrator credentials.
“The plugin serves both as a traffic monetization tool and as a qualification harvesting mechanism, demonstrating the continuous evolution from simple redirection capabilities to providing sophisticated malware as a service,” GoDaddy said.
“By offering off-the-shelf solutions that include C2 infrastructure, standardized PHP injection templates and fully functional malicious WordPress plugins, TDS lowers the entry barrier for cybercriminals trying to monetize pervasive websites.”
Source link
