"The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code that's responsible for initiating a redirection chain that takes them to a fake Cloudflare or Google CAPTCHA page. From there, the attack chain forks into two, depending on the ClickFix instructions displayed on the web page: One that utilizes the Windows Run dialog and another that guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe."
"The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National Digital Agency. "The campaign [...] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems," researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman said. "The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.""
ShadowCaptcha is a large-scale campaign detected in August 2025 that abuses over 100 compromised WordPress sites to redirect visitors to fake CAPTCHA pages. Malicious JavaScript on infected sites initiates redirection chains that present ClickFix instructions, which fork the attack into two execution paths: one using the Windows Run dialog and one instructing victims to save and run an HTA via mshta.exe. The Windows Run path leads to Lumma and Rhadamanthys stealers delivered via MSI installers or remotely-hosted HTA files, while the saved HTA path installs Epsilon Red ransomware. The campaign employs social engineering, living-off-the-land binaries, and multi-stage payload delivery to harvest credentials, exfiltrate browser data, deploy cryptominers, and enable ransomware outbreaks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]