Over 100 hacked WordPress sites redirect visitors to fake Cloudflare/Google CAPTCHA pages using “ClickFix” to execute Lumma, Rhadamanthys, Epsilon Red, and XMRig payloads, researchers say.

A global campaign dubbed ShadowCaptcha is abusing more than 100 compromised WordPress sites to funnel visitors to counterfeit CAPTCHA checks that coerce “ClickFix” actions and launch malware—ranging from info-stealers and ransomware to crypto miners. Researchers link some infrastructure to Help TDS–style redirection and malicious plugins that masquerade as WooCommerce. The Hacker NewsGoDaddy

A large-scale attack wave called ShadowCaptcha is redirecting users from more than 100 hacked WordPress sites to fake Cloudflare or Google CAPTCHA pages that trigger multi-stage malware installs, including Lumma and Rhadamanthys info-stealers, Epsilon Red ransomware, and XMRig coin miners, according to new research published August 26, 2025.

• What’s new: ShadowCaptcha leverages compromised WordPress sites to run malicious JavaScript that sends visitors into a redirection chain ending on phony CAPTCHA pages. From there, victims are prompted to either paste a pre-copied command in Windows Run or save and execute an HTA file—both paths resulting in malware execution. The Hacker News
• Scale: Researchers have observed 100+ infected sites, with concentrations in Australia, Brazil, Italy, Canada, Colombia, and Israel across technology, hospitality, legal/finance, healthcare and real-estate sectors. The Hacker News
• Initial access: How the WordPress sites were breached varies; investigators have medium confidence that attackers abused vulnerable plugins and, in some cases, stolen admin credentials. The Hacker News
• Related ecosystem: The campaign overlaps with traffic distribution systems (TDS) behavior seen in Help TDS, which has used a malicious plugin named “woocommerce_inputs” to redirect traffic and harvest credentials on thousands of sites. GoDaddy

“The campaign blends social engineering, living-off-the-land binaries, and multi-stage payload delivery to gain and maintain a foothold in targeted systems.” — Researchers credited by Israel’s National Digital Agency. The Hacker News

“The compromised ClickFix page copies a malicious command to the clipboard without interaction, relying on users to paste and run it unknowingly.” — Researchers describing the technique. The Hacker News

“Help TDS has evolved into a malware-as-a-service offering, with a malicious WooCommerce-named plugin installed post-compromise via stolen credentials.” — Denis Sinegubko, GoDaddy Security. GoDaddy

“ShadowCaptcha shows how a simple CAPTCHA lure can escalate into data theft, crypto mining, or full ransomware impact—often with mshta/msiexec abuse and vulnerable drivers for stealth and speed.” — El Mostafa Ouchen, cybersecurity author and analyst.

Technical Analysis

Attack chain & lures. Compromised WordPress pages inject JavaScript that redirects to counterfeit Cloudflare/Google CAPTCHA portals. The pages use ClickFix instructions to:

1. open Windows Run and paste an attacker-supplied command (copied via navigator.clipboard.writeText), launching MSI or HTA payloads via msiexec.exe/mshta.exe; or
2. save the page as an HTA and execute locally. The Hacker News

Payloads. Observed families include Lumma and Rhadamanthys (stealers), Epsilon Red (ransomware), and XMRig miners (with configs sometimes fetched from Pastebin). Some runs drop a vulnerable driver (WinRing0x64.sys) to manipulate CPU registers for higher mining yield. The Hacker News

Defense evasion. Pages implement anti-debugger checks to block browser dev tools inspection and use DLL side-loading to execute under trusted processes. The Hacker News

Possible delivery infra. Research into Help TDS documents a malicious “woocommerce_inputs” plugin used by attackers (not from the legitimate WooCommerce project) to redirect traffic, filter by geography, and exfiltrate credentials—capabilities that can dovetail with ShadowCaptcha’s redirection-first model. GoDaddy

MITRE ATT&CK (indicative):

• Drive-by Compromise (T1189) via compromised sites and forced redirects.
• User Execution (T1204) through ClickFix-guided Run/HTA steps.
• Signed Binary Proxy Execution (T1218) using mshta.exe / msiexec.exe.
• Hijack Execution Flow: DLL Side-Loading (T1574.002).
• Valid Accounts (T1078) for stolen WordPress admin credentials.
• Exploitation for Privilege Escalation (T1068) via vulnerable driver abuse.

Impact & Response

Who’s at risk:

• Site visitors—credential theft, data exfiltration, ransomware execution, resource hijacking for mining.
• Site owners—reputation damage, SEO penalties, blacklisting, potential legal exposure for unsafe platforms. The Hacker News

Immediate actions:

• Users: do not paste/run commands from web pages; block HTA where feasible; run EDR; scan for Lumma/Rhadamanthys/Epsilon Red; check for unauthorized drivers.
• Admins: audit WordPress for unknown plugins (e.g., faux WooCommerce names), remove malicious injections, rotate credentials, enforce MFA, and patch core/plugins; review outbound redirects and logs; WAF/EDR rules for mshta/msiexec misuse; disable Pastebin-fetched configs at egress. The Hacker NewsGoDaddy

Potential regulatory angle: Sites handling personal data may face privacy/consumer-protection scrutiny if inadequate security controls facilitated malware delivery to visitors.

Background

The disclosure follows GoDaddy’s deep-dive on Help TDS, active since 2017, which arms affiliates with PHP templates and a malicious plugin to monetize hijacked traffic (tech-support scams, dating/crypto/sweepstakes), including fake CAPTCHA gates to evade automated scans. ShadowCaptcha adopts similar redirection motifs while expanding to stealers/ransomware/miners. GoDaddy

What’s Next

Researchers are continuing to track infrastructure and plugin variants, while urging WordPress operators to harden authentication, prune legacy/vulnerable plugins, and monitor for ClickFix-style clipboard abuse. Expect IOCs and cleanup guidance to roll out via security vendors and national agencies as investigations continue. The Hacker News

Governor’s Technology Office says no evidence of PII exposure as FBI joins probe; DMV, agency websites and phone lines saw disruptions while emergency 911 remained available.

RENO, Nev. — Aug. 25, 2025. Nevada paused in-person services across state agencies on Monday while technicians worked to recover from a “network security incident” first detected early Sunday, according to a memo from the Governor’s Office. Officials said certain websites and phone lines were intermittently unavailable during recovery, but emergency call-taking remained online. Carson Now

What happened

• The state identified a network security incident early Sunday, Aug. 24 and initiated 24/7 recovery and validation of systems. Agencies were instructed to suspend in-person counters Monday “to minimize disruption” while restoration proceeded. Carson Now
• As of Monday afternoon, NV.gov and several agency sites (including the Department of Public Safety) experienced outages or slow response. StateScoopCarson Now
• The FBI’s Las Vegas field office confirmed it is assisting the state’s investigation. KSNVLas Vegas Review-Journal
• No evidence of compromised personally identifiable information (PII) has been found so far, the state said. Carson NowKRNV

Services and public impact

• DMV: Offices were closed Monday; appointments set for that day will be honored as walk-ins over the next two weeks, the agency said. KRNVKSNV
• Public safety lines: Nevada Highway Patrol / State Police dispatch phone lines were down Sunday but were back in service Monday; 911 remained available statewide. Carson NowLas Vegas Review-Journal
• Other agencies: Notices from departments, including Nevada State Parks, cited website disruptions and operational adjustments (e.g., cash-only fees at park entrances). Nevada State Parks

What officials are doing

The Governor’s Technology Office said it is working “continuously with state, local, tribal, and federal partners,” using temporary routing and operational workarounds to maintain public access where feasible, and validating systems before returning them to normal. Residents were warned to be wary of phishing or payment scams purporting to be from state agencies. Carson Now

Technical context (what this likely means, without speculating beyond facts)

Scope and blast radius. The pattern of symptoms—intermittent web/phone outages across multiple agencies, temporary DMV service suspension, and selective restoration of dispatch lines—suggests disruption at shared network and application tiers rather than isolated end systems. That could include identity infrastructure, routing/firewall layers, telephony integration (SIP trunks, call routing), and public-facing web gateways. (This is analysis; officials have not yet attributed a cause.) StateScoopCarson Now

What we don’t know yet. Nevada has not announced whether this was a ransomware intrusion, DDoS, supplier compromise, or an internal misconfiguration. Investigators typically review authentication logs, privileged access activity, VPN/SSO telemetry, firewall and proxy events, and VoIP call-control logs to determine initial access, lateral movement, and exfiltration. The FBI’s involvement indicates the state is preserving evidence and coordinating across jurisdictions. KSNVLas Vegas Review-Journal

Why services come back in phases. Agencies are restoring in waves because modern state IT relies on centralized identity (SSO), shared network segments, and common telecom/web platforms. Best practice is to isolate, rebuild, and validate each dependency (DNS, IdP, MDM/EDR, call routing, web apps) before reopening public counters—hence Monday’s pause in person services. Carson Now

Guidance for residents (from the state + security best practice)

• Use official channels and be patient with intermittent outages; retry later if a site or line times out. Carson Now
• Treat unexpected calls/emails requesting payment or credentials as suspect; the state won’t ask for your password or bank details by phone or email. Carson Now
• For emergencies, call 911; for roadside assistance, use restored NHP dispatch lines or 911 if needed. Carson Now

What to watch next

• Attribution & root cause: whether investigators tie the outage to criminal intrusions (e.g., ransomware or help-desk social engineering seen in other states) or to non-malicious failures. StateScoop+1
• Data-exposure update: officials currently report no PII evidence; that assessment could change after forensics (if indicators of exfiltration emerge). Carson Now
• Restoration cadence: agency-by-agency reopenings and website recoveries, including NV.gov and DPS properties. StateScoopCarson Now

Sources

Governor’s Office memo via Carson Now; updates on services and scam warnings. Carson Now
KRNV/News4 Reno; DMV accommodations, outage timeline. KRNV
KSNV/News3 Las Vegas; FBI assistance confirmation, service pause. KSNV
StateScoop; NV.gov and DPS site impact; weekend-to-Monday outage context. StateScoop
Carson Now update; dispatch lines status Sunday vs. Monday. Carson Now
Nevada State Parks; closure notice and cash-only operations. Nevada State Parks

ORB-style relay networks, SDK-based bandwidth theft, and Mirai spin-offs fuel a new wave of silent monetization and stealthy ops

Excerpt (40–60 words)
Attackers are chaining a critical GeoServer RCE with novel monetization tactics and ORB-like botnets to quietly profit and persist. New research details SDK-based bandwidth resale on compromised GeoServer hosts, a ballooning PolarEdge ORB built on edge devices, and a resurfaced Mirai variant dubbed “Gayfemboy” hitting routers and gateways worldwide.

Cybercriminals are pushing beyond smash-and-grab botnets, stitching together stealth monetization and covert relay infrastructure: Unit 42 warns of GeoServer systems hijacked to run “passive-income” SDKs that sell victims’ bandwidth, while researchers say the PolarEdge botnet now resembles an Operational Relay Box (ORB) network across tens of thousands of edge devices. Meanwhile, Fortinet tracked a renewed global surge of the Mirai-based “Gayfemboy” malware exploiting SOHO and enterprise gear.

What’s New

• GeoServer RCE monetized, not mined. A campaign exploits CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer/GeoTools to quietly deploy legitimate-looking SDKs and apps that resell the host’s bandwidth via residential-proxy services—no miner needed, minimal CPU, long dwell time. Unit 42 observed internet-wide probing since March 2025 and over 7,100 exposed GeoServers across 99 countries.
• PolarEdge balloons into an ORB. Censys and prior Sekoia work describe PolarEdge, a TLS-backdoored botnet abusing Cisco/ASUS/QNAP/Synology and other edge devices since mid-2023. Recent tallies show ~40,000 active devices, heavily concentrated in South Korea and the U.S., behaving like an Operational Relay Box network rather than a typical DDoS herd.
• ‘Gayfemboy’ returns with broader exploits. Fortinet details a Mirai-lineage campaign (“Gayfemboy”) adding fresh N-days against DrayTek, TP-Link, Raisecom and Cisco to regain footholds and stage DDoS capability, with targets spanning manufacturing, tech and media across multiple regions.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) … to gain passive income via network sharing or residential proxies.” — Unit 42, Palo Alto Networks. Unit 42

“ORBs are compromised exit nodes that forward traffic … while the device continues to operate normally, making detection … unlikely.” — Himaja Motheram, Censys. The Hacker News

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection.” — Vincent Li, Fortinet. Fortinet

“Defenders must treat exposed GeoServer and orphaned edge gear as high-risk egress points. Patch fast, kill default services, and watch for quiet bandwidth drains and high, odd-port TLS beacons—these are today’s telltales of ORB-style operations.” — El Mostafa Ouchen, cybersecurity author and analyst.

Technical Analysis

1) GeoServer CVE-2024-36401 attack chain

• Vuln: Unsafe evaluation of property names as XPath (via GeoTools → Apache Commons JXPath) enables unauthenticated RCE across WFS/WMS/WPS request paths. Fixed in 2.22.6 / 2.23.6 / 2.24.4 / 2.25.2; workaround removes gt-complex-*.jar.
• Observed TTPs (Unit 42):
  • Initial access: Crafted WFS/WMS payloads (e.g., GetPropertyValue) to execute Runtime.exec() on target.
  • Staging: Payloads fetched from attacker-hosted transfer.sh instances; executables written in Dart interact with legit bandwidth-sharing services.
  • Objective: Stealth monetization via residential proxy SDKs; minimal resource use, long persistence.

2) PolarEdge ORB characteristics

• Initial footholds: N-days including CVE-2023-20118 on EoL Cisco RV routers; later broadened to ASUS/NAS/IP cameras, with a TLS backdoor (Mbed TLS/PolarSSL) deployed via FTP/scripted droppers (“q”, “t.tar”, “cipher_log”).
• C2 & stealth: Backdoor listens on high, non-standard TCP ports (40k–50k); log cleanup and persistence; ~40,000 active nodes as of Aug. 2025.
• Use case: Operational Relay Box—stable residential/ISP space used to proxy follow-on intrusions and mask origin.

3) ‘Gayfemboy’ Mirai variant

• Exploits & targets: Recent activity against DrayTek, TP-Link, Raisecom, Cisco; multi-arch binaries (ARM/AArch64/MIPS/PPC/x86), anti-analysis (UPX header tweaks), watchdog/monitor/persistence, and DDoS modules over UDP/TCP/ICMP.

MITRE ATT&CK (selected)

• Initial Access: Exploit Public-Facing App (T1190).
• Execution: Command & Scripting Interpreter (T1059); Native API (T1106).
• Persistence: Scheduled Task/Cron (T1053.003).
• Defense Evasion: Modify system utilities / masquerade; Impair defenses (T1562).
• Discovery: Query process/file system (T1082/T1083).
• C2: Application layer over TLS/Web protocols (T1071.001).
• Resource Development/Monetization: T1583.006 (Acquire network infrastructure / proxies), abuse of SDKs for bandwidth resale (campaign-specific).
  (Technique IDs mapped from ATT&CK Enterprise matrix; exact subtechniques may vary per host/device.)

Impact & Response

• Who’s affected:
  • GeoServer operators (public-facing instances prior to patched versions).
  • ISPs/enterprises with legacy SOHO routers, NAS, IP cameras, VoIP phones and edge gateways running vulnerable firmware.
  • Sectors: Manufacturing, tech, construction, media/communications; global spread (notably South Korea, U.S., parts of Europe).
• Actions taken / guidance:
  • Patch/mitigate GeoServer immediately to 2.22.6/2.23.6/2.24.4/2.25.2+; if constrained, remove gt-complex-*.jar (functional impact possible).
  • Hunt for SDK monetization artifacts (Dart executables, transfer.sh downloads, suspicious cron entries), anomalous egress/bandwidth spikes, and residential-proxy traffic.
  • Edge device triage: Disable WAN admin, block management ports, update firmware, rotate creds, and monitor for high random ports (40–50k) with TLS beacons tied to Mbed TLS backdoors.
• Regulatory/Legal: Organizations running abused infrastructure risk AUP violations with ISPs, potential data-protection exposure if relayed traffic is linked to attacks, and supply-chain liability where SDKs were embedded without appropriate vetting.

Background

• CVE-2024-36401 entered CISA KEV in July 2024 amid active exploitation; GeoServer issued multiple patch trains, plus a high-severity XXE (CVE-2025-30220) fix this June.
• PolarEdge was first documented by Sekoia (Feb. 2025) and later by Censys (Aug. 2025), who framed it as an ORB-like relay for operational traffic, not mass scanning or coin mining.
• Gayfemboy emerged publicly in 2024; Fortinet’s Aug. 22, 2025 analysis shows new exploits, architectures and anti-analysis techniques.

What’s Next

Expect more quiet monetization (bandwidth resale/SDK abuse) and relay-grade botnets that prioritize stealth over volume. Immediate priorities: patch GeoServer, inventory and segment edge gear, and add detections for ORB-style egress and odd-port TLS. Threat intel sharing between ISPs, cloud providers and enterprises will be key to disrupting these low-noise campaigns.

Sources: Unit 42 (Palo Alto Networks) – GeoServer CVE-2024-36401 exploitation and SDK monetization; NVD/GeoServer project advisories; The Hacker News (Aug. 23, 2025) overview on GeoServer, PolarEdge, and Gayfemboy.

Censys & ISMG – PolarEdge ORB scale (~40k devices), edge device exploitation, and ORB behavior; Sekoia early reporting (Feb. 2025); Fortinet FortiGuard Labs (Aug. 22, 2025) on Mirai “Gayfemboy” exploits, variants, and anti-analysis features.

Additional context from CVE records (2024–2025), CISA KEV entries, and prior research linking Redis cryptojacking and TLS backdoors in PolarEdge campaigns.