Over 100 WordPress Sites Compromised in ShadowCaptcha Malware Surge

Over 100 hacked WordPress sites redirect visitors to fake Cloudflare/Google CAPTCHA pages using “ClickFix” to execute Lumma, Rhadamanthys, Epsilon Red, and XMRig payloads, researchers say.

A global campaign dubbed ShadowCaptcha is abusing more than 100 compromised WordPress sites to funnel visitors to counterfeit CAPTCHA checks that coerce “ClickFix” actions and launch malware—ranging from info-stealers and ransomware to crypto miners. Researchers link some infrastructure to Help TDS–style redirection and malicious plugins that masquerade as WooCommerce. The Hacker NewsGoDaddy

A large-scale attack wave called ShadowCaptcha is redirecting users from more than 100 hacked WordPress sites to fake Cloudflare or Google CAPTCHA pages that trigger multi-stage malware installs, including Lumma and Rhadamanthys info-stealers, Epsilon Red ransomware, and XMRig coin miners, according to new research published August 26, 2025.

• What’s new: ShadowCaptcha leverages compromised WordPress sites to run malicious JavaScript that sends visitors into a redirection chain ending on phony CAPTCHA pages. From there, victims are prompted to either paste a pre-copied command in Windows Run or save and execute an HTA file—both paths resulting in malware execution. The Hacker News
• Scale: Researchers have observed 100+ infected sites, with concentrations in Australia, Brazil, Italy, Canada, Colombia, and Israel across technology, hospitality, legal/finance, healthcare and real-estate sectors. The Hacker News
• Initial access: How the WordPress sites were breached varies; investigators have medium confidence that attackers abused vulnerable plugins and, in some cases, stolen admin credentials. The Hacker News
• Related ecosystem: The campaign overlaps with traffic distribution systems (TDS) behavior seen in Help TDS, which has used a malicious plugin named “woocommerce_inputs” to redirect traffic and harvest credentials on thousands of sites. GoDaddy

“The campaign blends social engineering, living-off-the-land binaries, and multi-stage payload delivery to gain and maintain a foothold in targeted systems.” — Researchers credited by Israel’s National Digital Agency. The Hacker News

“The compromised ClickFix page copies a malicious command to the clipboard without interaction, relying on users to paste and run it unknowingly.” — Researchers describing the technique. The Hacker News

“Help TDS has evolved into a malware-as-a-service offering, with a malicious WooCommerce-named plugin installed post-compromise via stolen credentials.” — Denis Sinegubko, GoDaddy Security. GoDaddy

“ShadowCaptcha shows how a simple CAPTCHA lure can escalate into data theft, crypto mining, or full ransomware impact—often with mshta/msiexec abuse and vulnerable drivers for stealth and speed.” — El Mostafa Ouchen, cybersecurity author and analyst.

Technical Analysis

Attack chain & lures. Compromised WordPress pages inject JavaScript that redirects to counterfeit Cloudflare/Google CAPTCHA portals. The pages use ClickFix instructions to:

1. open Windows Run and paste an attacker-supplied command (copied via navigator.clipboard.writeText), launching MSI or HTA payloads via msiexec.exe/mshta.exe; or
2. save the page as an HTA and execute locally. The Hacker News

Payloads. Observed families include Lumma and Rhadamanthys (stealers), Epsilon Red (ransomware), and XMRig miners (with configs sometimes fetched from Pastebin). Some runs drop a vulnerable driver (WinRing0x64.sys) to manipulate CPU registers for higher mining yield. The Hacker News

Defense evasion. Pages implement anti-debugger checks to block browser dev tools inspection and use DLL side-loading to execute under trusted processes. The Hacker News

Possible delivery infra. Research into Help TDS documents a malicious “woocommerce_inputs” plugin used by attackers (not from the legitimate WooCommerce project) to redirect traffic, filter by geography, and exfiltrate credentials—capabilities that can dovetail with ShadowCaptcha’s redirection-first model. GoDaddy

MITRE ATT&CK (indicative):

• Drive-by Compromise (T1189) via compromised sites and forced redirects.
• User Execution (T1204) through ClickFix-guided Run/HTA steps.
• Signed Binary Proxy Execution (T1218) using mshta.exe / msiexec.exe.
• Hijack Execution Flow: DLL Side-Loading (T1574.002).
• Valid Accounts (T1078) for stolen WordPress admin credentials.
• Exploitation for Privilege Escalation (T1068) via vulnerable driver abuse.

Impact & Response

Who’s at risk:

• Site visitors—credential theft, data exfiltration, ransomware execution, resource hijacking for mining.
• Site owners—reputation damage, SEO penalties, blacklisting, potential legal exposure for unsafe platforms. The Hacker News

Immediate actions:

• Users: do not paste/run commands from web pages; block HTA where feasible; run EDR; scan for Lumma/Rhadamanthys/Epsilon Red; check for unauthorized drivers.
• Admins: audit WordPress for unknown plugins (e.g., faux WooCommerce names), remove malicious injections, rotate credentials, enforce MFA, and patch core/plugins; review outbound redirects and logs; WAF/EDR rules for mshta/msiexec misuse; disable Pastebin-fetched configs at egress. The Hacker NewsGoDaddy

Potential regulatory angle: Sites handling personal data may face privacy/consumer-protection scrutiny if inadequate security controls facilitated malware delivery to visitors.

Background

The disclosure follows GoDaddy’s deep-dive on Help TDS, active since 2017, which arms affiliates with PHP templates and a malicious plugin to monetize hijacked traffic (tech-support scams, dating/crypto/sweepstakes), including fake CAPTCHA gates to evade automated scans. ShadowCaptcha adopts similar redirection motifs while expanding to stealers/ransomware/miners. GoDaddy

What’s Next

Researchers are continuing to track infrastructure and plugin variants, while urging WordPress operators to harden authentication, prune legacy/vulnerable plugins, and monitor for ClickFix-style clipboard abuse. Expect IOCs and cleanup guidance to roll out via security vendors and national agencies as investigations continue. The Hacker News