A sophisticated global cybercrime campaign dubbed “ShadowCaptcha” has emerged as a significant threat to organizations worldwide, leveraging fake Google and Cloudflare CAPTCHA pages to trick victims into executing malicious commands.
Discovered by researchers at the Israel National Digital Agency in August 2025, this large-scale operation has been active for at least one year, exploiting hundreds of compromised WordPress websites to deliver multi-stage malware payloads.
The campaign employs a deceptive technique known as ClickFix, where attackers inject malicious JavaScript into compromised WordPress sites that redirect users to attacker-controlled infrastructure hosting fake CAPTCHA verification pages.
These convincingly designed pages mimic legitimate Cloudflare or Google security checks, prompting unsuspecting users to copy and execute PowerShell commands under the guise of completing a security verification process.
Retrospective analysis has revealed the campaign’s extensive reach, with over 100 compromised WordPress sites serving as initial infection vectors and hundreds of malware samples spanning multiple families and variants.
Gov.li analysts identified the campaign’s opportunistic nature, targeting organizations across all sectors regardless of size or industry vertical.
The attack operates through a sophisticated multi-stage delivery mechanism that combines social engineering with living-off-the-land binaries (LOLBins) to maintain persistence while evading detection.
Once victims execute the disguised malicious commands, the malware establishes a foothold within targeted systems and proceeds with its primary objectives.
Multi-Faceted Monetization Strategy
ShadowCaptcha’s infection mechanism demonstrates remarkable versatility in its monetization approach.
The malware focuses on three primary revenue streams: credential harvesting and browser data exfiltration for identity theft, deployment of cryptocurrency miners to generate illicit profits from infected systems, and potential ransomware deployment for immediate financial gain.
.webp "New ShadowCaptcha Attack Exploiting Hundreds of WordPress Sites to Tricks Victims into Executing Malicious Commands 3")
This multi-pronged strategy maximizes the attackers’ return on investment while creating sustained unauthorized access to compromised networks.
The campaign’s ability to adapt its payload based on system characteristics and security posture makes it particularly dangerous, as it can pivot between different attack modes to avoid detection while maintaining persistent access to valuable corporate resources.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
