- Rapid7 Reveals Large-scale WordPress Hijacking Campaign
- Fake Cloudflare CAPTCHA trick visitors into running malware
- More than 250 websites compromised, including a US Senate candidate’s site
Cybercriminals are hijacking vulnerable WordPress sites left and right and turning them into launching pads for malware deployment, experts have warned.
Security researchers Rapid7 claim to have seen an ongoing, automated, large-scale campaign that even influenced an unnamed US Senate candidate.
According to the researchers, the crooks first scan the web for vulnerable WordPress sites. There can be a myriad of things, from default or bad admin login credentials to unpatched themes and WordPress plugins with widely available exploits being used to gain initial access.
The article continues below
Insertion of an infostealer
The campaign likely started in December 2025 and has so far affected more than 250 websites around the world.
Once inside, the crooks would do their best not to raise the alarm. Nothing on the page is actually changed – all they do is add a fake Cloudflare CAPTCHA on the first visit. This is such a common, common practice these days that most people don’t think twice about it, they just complete the puzzle, confirm they’re not a robot, and go about their day.
But the way users are asked to solve the CAPTCHA should be a big red flag. Instead of clicking a box or shooting a slider, they’re asked to copy and paste a command into Windows Run in classic ClickFix fashion.
So instead of proving they’re human, the visitors end up downloading and running the malware themselves. In this case, an infostealer is designed to wipe out login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.
Rapid7 says the campaign is likely highly automated and not targeting any specific industry. Regional media, small business websites and even a US Senate candidate’s official website were among the confirmed cases.
“The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort,” Rapid7 said in its report.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
