- Rapid7 uncovers large-scale WordPress hacking campaign
- Fake Cloudflare CAPTCHA tricks visitors into running malware
- More than 250 sites compromised, including the page of a US Senate candidate
Cybercriminals are hijacking vulnerable WordPress sites left and right and turning them into launching pads for malware deployment, experts have warned.
Security researchers Rapid7 claim to have spotted an ongoing, large-scale, automated campaign that even affected an anonymous US Senate candidate.
According to researchers, scammers first scan the web for vulnerable WordPress sites. There can be a myriad of things, from default or poor admin login credentials to unpatched themes and WordPress plugins with widely available exploit solutions that are used to gain initial access.
Article continues below
Deploy an information stealer
The campaign likely started in December 2025 and has so far reached over 250 websites worldwide.
Once inside, the crooks did their best not to set off an alarm. Nothing on the site is actually changed – the only thing they do is add a fake Cloudflare CAPTCHA on the first visit. This is such a common and habitual practice these days that most people don’t think twice about it, they simply complete the puzzle, confirm that they are not a robot, and move on with their day.
But the way users are asked to solve the CAPTCHA should be a huge red flag. Instead of clicking a box or dragging a cursor, they’re asked to copy and paste a command into Windows Run, classic ClickFix fashion.
So, instead of proving that they are human, visitors end up downloading and running malware themselves. In this case, it’s an infostealer designed to exfiltrate login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.
Rapid7 says the campaign is likely highly automated and not targeting any specific industry. Regional media outlets, small business websites and even the official webpage of a U.S. Senate candidate were among the confirmed cases.
“The large-scale execution of the compromise on completely unrelated WordPress instances suggests a high level of automation on the part of the malicious actor and is likely part of a long-term organized criminal effort,” Rapid7 said in its report.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
