A widespread cyber-criminal campaign has compromised legitimate WordPress websites to infect visitors with infostealer malware, threat researchers at Rapid 7 have warned.
The global operation has compromised over 250 websites including regional news publications, local business websites and a US Senate candidate’s official webpage.
Sites in at least 12 countries have been impacted, including: Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK and the US.
The attackers’ goal is to exploit the user trust in legitimate websites to secretly infect them with infostealer malware, for the purposes of stealing sensitive data, including login credentials and financial information
The campaign has been active since December 2025. In a blog post by Rapid7, researchers warn that the abuse of legitimate websites “makes this threat dangerous for organizations and individuals alike.”
During a visit to an infected site, users are shown what looks like a Cloudflare Captcha page, something they might expect to see on many websites. However, in this scenario the Captcha page is a convincing fake, designed to begin the infection process.
Fake Captcha and ClickFix Attacks For Social Engineering
The attackers deploy ClickFix, a social engineering technique which uses dialogue boxes containing fake verification messages, to trick people into copying, pasting and running malicious code on their own device.
In this campaign, the fake Captcha asks the user to open the Windows Run command box and paste in a command under the guise of additional verification. The command begins a multi-stage process of downloading and installing malware on the machine.
Infostealer payloads observed being delivered via the compromised WordPress sites included Vidar Stealer, Impure Stealer, Vodka Stealer and Double Donut, the latter of which is often used as part of ClickFix campaigns.
No matter which payload is deployed, the goal is the same: steal usernames, passwords, digital wallets and other sensitive information from the victim.
Whether they are used by those behind this campaign, or sold to other cybercriminals on underground forums, these stolen credentials can subsequently be used for financial theft or to conduct further, more targeted attacks against organizations.
“The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort,” warned Rapid7 researchers.
It is unclear how exactly the attackers have compromised the targeted WordPress sites, but Rapid 7 has suggested it could be linked to a WordPress plugin or theme vulnerability being exploited, previously stolen credentials being misused or publicly accessible admin interfaces being accessed through brute-force password cracking attacks.
Rapid7 has issued the following advice to WordPress site admins:
- Regularly review all software components for outdated versions and perform vulnerability scans to identify and mitigate weaknesses
- Use long and unpredictable passwords for administrative access, possibly using a password manager for audited security and convenience
- Set up a second authentication factor for administrative access
- Avoid running untrusted code on devices that store credentials (e.g. saved logins in a browser) usable to administer the website
Rapid 7 said that it had notified US authorities about the Senate candidate’s official webpage being compromised.
Infosecurity has contacted WordPress for comment.
