Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.
“Site visitors get injected content that was drive-by malware like fake Cloudflare verification,” Sucuri researcher Puja Srivastava said in an analysis published last week.
The website security company said it began an investigation after one of its customer’s WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file (“functions.php”).
The code inserted into “functions.php” incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain “brazilc[.]com,” which, in turn, responds with a dynamic payload that includes two components –
- A JavaScript file hosted on a remote server (“porsasystem[.]com”), which, as of writing, has been referenced on 17 websites and contains code to perform site redirects
- A piece of JavaScript code that creates a hidden, 1×1 pixel iframe, within which it injects code that mimics legitimate Cloudflare assets like “cdn-cgi/challenge-platform/scripts/jsd/main.js” – an API that’s a core part of its bot detection and challenge platform
It’s worth noting that the domain “porsasystem[.]com” has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124).
According to information shared by an account named “monitorsg” on Mastodon on September 19, 2025, the infection chain starts with users visiting a compromised site, resulting in the execution of “porsasystem[.]com/6m9x.js,” which then leads to “porsasystem[.]com/js.php” to eventually take the victims to ClickFix-style pages for malware distribution.
The findings illustrate the need for securing WordPress sites and ensuring that plugins, themes, and website software are kept up-to-date, enforcing strong passwords, scanning the sites for anomalies and unexpected administrator accounts created for maintaining persistent access even after the malware is detected and removed.
Create ClickFix Pages Using IUAM ClickFix Generator
The disclosure comes as Palo Alto Networks Unit 42 detailed a phishing kit named IUAM ClickFix Generator that allows attackers to infect users with malware by leveraging the ClickFix social engineering technique and come up with customizable landing pages by mimicking browser verification challenges often used to block automated traffic.
“This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page commonly deployed by Content Delivery Networks (CDNs) and cloud security providers to defend against automated threats,” security researcher Amer Elsad said. “The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.”
The bespoke phishing pages also come with capabilities to manipulate the clipboard, a crucial step in the ClickFix attack, as well as detect the operating system used in order to tailor the infection sequence and serve compatible malware.
In at least two different cases, threat actors have been detected using pages generated using the kit to deploy information stealers such as DeerStealer and Odyssey Stealer, the latter of which is designed to target Apple macOS systems.
The emergence of the IUAM ClickFix Generator adds to a prior alert from Microsoft warning of a rise in commercial ClickFix builders on underground forums since late 2024. Another notable example of a phishing kit that has integrated the offering is Impact Solutions.
“The kits offer creation of landing pages with a variety of available lures, including Cloudflare,” Microsoft noted back in August 2025. “They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence.”
It goes without saying that these tools further lower the barrier to entry for cybercriminals, enabling them to mount sophisticated, multi-platform attacks at scale without much effort or technical expertise.
ClickFix Becomes Stealthy via Cache Smuggling
The findings also follow the discovery of a new campaign that has innovated on the ClickFix attack formula by employing a sneaky technique referred to as cache smuggling to fly under the radar as opposed to explicitly downloading any malicious files on the target host.
“This campaign differs from previous ClickFix variants in that the malicious script does not download any files or communicate with the internet,” Expel Principal Threat Researcher Marcus Hutchins said. “This is achieved by using the browser’s cache to pre-emptively store arbitrary data onto the user’s machine.”
Expel said it was unable to determine the final payload received as part of the attack. It’s also currently not known how users are redirected to the phishing page, and if it involves techniques like malvertising or search engine optimization (SEO) poisoning.
In the attack documented by the cybersecurity company, the ClickFix-themed page masquerades as a Fortinet VPN Compliance Checker, using FileFix tactics to deceive users into launching the Windows File Explorer and pasting a malicious command into the address bar to trigger the execution of the payload.
The invisible command is designed to run a PowerShell script via conhost.exe. What makes the script stand apart is that it does not download any additional malware or communicate with an attacker-controlled server. Instead, it executes an obfuscated payload that passes off as a JPEG image and is already cached by the browser when the user lands on the phishing page.
“The file extracted from the cache is used to set up a scheduled task, which is set to run after each reboot,” Hutchins told The Hacker News. “When the task runs, it connects to a command-and-control server waiting for follow-up commands.”
“Neither the web page nor the PowerShell script explicitly downloads any files,” Hutchins explained. “By simply letting the browser cache the fake ‘image,’ the malware is able to get an entire ZIP file onto the local system without the PowerShell command needing to make any web requests.”
“The implications of this technique are concerning, as cache smuggling may offer a way to evade protections that would otherwise catch malicious files as they are downloaded and executed. An innocuous-looking ‘image/jpeg’ file is downloaded, only to have its contents extracted and then executed via a PowerShell command hidden in a ClickFix phishing lure.”
(The story was updated after publication to include additional insights from Expel.)
