250+ WordPress Sites Compromised to Deliver Infostealers via ClickFix

A widespread campaign has compromised over 250 legitimate WordPress websites to distribute infostealer malware, according to threat researchers at Rapid7. The attackers weaponize trusted sites to serve fake Cloudflare CAPTCHA pages that trick visitors into executing malicious PowerShell commands.

The operation has been active since December 2025 and affects sites across 12 countries, including regional news outlets, local businesses, and even a US Senate candidate's official webpage.

How the Attack Works

Attackers inject obfuscated JavaScript into compromised WordPress sites. When visitors arrive, the code displays a convincing fake Cloudflare "Verify you are human" CAPTCHA overlay.

But instead of clicking a checkbox, users are instructed to:

1. Open Windows Run dialog (Win+R)
2. Paste a command that was automatically copied to their clipboard
3. Press Enter

That command executes PowerShell code that fetches secondary payloads from attacker infrastructure. The social engineering is effective because users believe they're interacting with legitimate security verification from a trusted website.

This ClickFix technique has become the preferred delivery method for multiple threat actors. By tricking users into executing the command themselves, attackers bypass security tools that would block automated malware downloads.

Four Infostealer Families Deployed

Rapid7 observed multiple malware payloads delivered through the compromised sites:

Vidar Stealer (v2): An updated version featuring encrypted C2 configurations using a custom Vigenère-like decryption routine. The new variant includes previously undocumented string obfuscation with per-string XOR keys.

VodkaStealer: A newly identified C++ stealer that lacks sophisticated anti-analysis measures but performs comprehensive browser data harvesting, screenshot capture, and cryptocurrency wallet targeting. Notably, it blocks execution on systems with Russian or Belarusian locale settings—a common self-defense mechanism among Eastern European threat actors.

Impure Stealer: A .NET-based stealer using custom Type-Length-Value encoding and AES-256-CBC encryption. It employs code-flattening obfuscation and unique string decryption patterns.

DoubleDonut Loader: A two-stage Donut shellcode implementation. The first stage downloads secondary shellcode that gets injected into legitimate svchost.exe processes, with final payloads executed entirely in memory.

All four families target the same data: browser credentials, cryptocurrency wallets, and sensitive files.

Global Reach

Compromised sites span 12 countries:

• Australia
• Brazil
• Canada
• Czechia
• Germany
• India
• Israel
• Singapore
• Slovakia
• Switzerland
• United Kingdom
• United States

The variety of victims—news sites, small businesses, political campaigns—suggests opportunistic targeting rather than strategic selection. Attackers likely exploited common WordPress vulnerabilities or brute-forced admin credentials.

Infection Chain Details

The attack infrastructure centers on several IP addresses, primarily 94.154.35.115 (later rotated to 172.94.9.187). JavaScript delivery occurs through domains like cptoptious[.]com and captioto[.]com, as well as through compromised WordPress admin-ajax.php endpoints.

Initial PowerShell execution contacts 91.92.240[.]219, which delivers a secondary command fetching payloads from 178.16.53[.]70. Most infrastructure belongs to AS202412.

Rapid7 notes that many site owners cleaned visible malware but may not have addressed root cause vulnerabilities: "The question remains whether they truly have been sanitized."

Why This Matters

Website compromises that deliver malware occupy a particularly dangerous position in the threat landscape. Users visiting a regional news site or local business have no reason to suspect malicious activity. The trust relationship between reader and familiar website provides cover for attacks that more suspicious domains couldn't achieve.

Organizations with WordPress sites should:

1. Audit for injected JavaScript in themes and plugins
2. Review admin accounts for unauthorized access
3. Update WordPress core, themes, and plugins immediately
4. Implement WAF rules to detect ClickFix payload patterns
5. Enable file integrity monitoring for early detection

For users, the guidance is straightforward: no legitimate CAPTCHA asks you to run commands in PowerShell. If a website prompts this, close the tab immediately.

This campaign demonstrates why understanding phishing techniques remains essential—the same social engineering principles apply whether delivered by email or compromised website.