Security researchers have outlined an ongoing and widespread malware campaign based around trusted, but compromised, WordPress websites.
The campaign, spotted by cyber security firm Rapid7, is being carried out by a so-far unknown threat actor and uses the compromised sites to inject a ClickFix implant posing as a Cloudflare CAPTCHA process.
“The lure is designed to infect visitors with a multi-stage malware chain that ultimately steals and exfiltrates credentials and digital wallets from Windows systems,” Rapid7 said in a March 11 blog post.
“The stolen credentials can subsequently be used for financial theft or to conduct further, more targeted attacks against organisations.”
The infrastructure used in the campaign dates back to July 2025, while in its current form, the campaign has been ongoing since December last year. So far, Rapid7 has tagged more than 250 infected WordPress websites from at least 12 countries: Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK, and the US.
The infected sites range from business websites to the official website of a sitting US senator.
“This legitimacy, together with the convincing appearance of the fake Cloudflare CAPTCHA lure, makes this threat dangerous for organisations and individuals alike,” Rapid7’s researchers said.
“It also highlights the importance of staying vigilant online at all times, not only when browsing untrustworthy sites.”
While Rapid7 goes into some technical depth into how the malware is deployed and credentials harvested, at the time of writing, the exact means by which the threat actor is compromising the infected WordPress sites is unknown. Ultimately, the latest payload deployed by the threat actor is a new and custom C++ stealer that Rapid7 is referring to as VodkaStealer.
Curiously, previous stealers deployed by the actor, including Vidar and Impure Stealer, were far more complex and stealthy, leading Rapid7’s people to wonder why the attacker is using something written from scratch and far less capable.
“One speculative explanation is of an economical nature – commercial infostealers are expensive, while small software PoC development, including malware development, is becoming widely available thanks to pre-trained transformer LLMs, with open-source ‘red team’ tools like ChromElevator available to aid with the more technically challenging aspects,” Rapid7 said.
“However, this is all pure speculation, and Rapid7 Labs will keep tracking the campaign to collect more intelligence and draw more definitive conclusions.”
You can learn more about the malicious WordPress campaign here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.