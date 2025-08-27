Information-stealing malware, ransomware, and cryptominers have been distributed through more than 100 breached WordPress sites around the world as part of the new ShadowCaptcha cybercrime campaign, which involves ClickFix social engineering and multiple living-off-the-land binaries, reports The Hacker News

Illicit JavaScript code injected into the hacked WordPress sites facilitate redirection to bogus Cloudflare or Google CAPTCHA pages that use either the Windows Run dialog or prompts the saving and execution of the webpage as an HTML Application, with the former resulting in the delivery of the Rhadamanthys and Lumma infostealers and the latter leading to the deployment of Epsilon Red ransomware, according to researchers from the Israel National Digital Agency. XMRig-based cryptominers were deployed in other ShadowCaptcha campaigns. "ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations. By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware," said researchers.