ShadowCaptcha distributing ransomware & cryptominers via compromised WordPress sites

A new large-scale cybercrime campaign, codenamed ShadowCaptcha, has been identified, exploiting over 100 compromised WordPress sites. This campaign, first detected in August 2025 by the Israel National Digital Agency, directs unsuspecting visitors to fake CAPTCHA verification pages using the ClickFix social engineering tactic. Researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman noted that the campaign combines social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to establish and maintain a foothold in targeted systems. The primary objectives of ShadowCaptcha include collecting sensitive information through credential harvesting, exfiltrating browser data, deploying cryptocurrency miners for illicit profits, and instigating ransomware outbreaks.

The attack process begins when users visit a compromised WordPress site, which has been injected with malicious JavaScript code. This code initiates a redirection chain leading to a counterfeit Cloudflare or Google CAPTCHA page. Depending on the ClickFix instructions displayed, the attack chain diverges into two paths: one that utilises the Windows Run dialog and another that instructs victims to save a page as an HTML Application (HTA) and execute it using mshta.exe. The execution flow via the Windows Run dialog results in the deployment of Lumma and Rhadamanthys stealers through MSI installers or remotely-hosted HTA files. Conversely, executing the saved HTA payload leads to the installation of Epsilon Red ransomware. The compromised ClickFix page employs obfuscated JavaScript to copy a malicious command to the user’s clipboard without interaction, relying on users to unknowingly paste and execute it.