Hijacked WordPress sites fuel global data-stealing campaign

Cyber-criminals have compromised hundreds of legitimate WordPress websites in a global operation designed to infect unsuspecting visitors with information-stealing malware, raising fresh concerns about the security of widely used web platforms and the increasing sophistication of social-engineering attacks.

Threat researchers at cybersecurity firm Rapid7 say attackers infiltrated more than 250 websites across at least 12 countries, including the United Kingdom, United States, Germany, Canada, Australia, Brazil, Israel and India. The infected pages include regional news portals, small business sites and even the official campaign website of a United States Senate candidate. Once compromised, the websites are silently converted into malware distribution platforms targeting visitors’ computers.

The operation relies on a deceptive tactic known as “ClickFix”, which manipulates users into executing malicious commands themselves. Visitors arriving at a compromised website are shown what appears to be a legitimate Cloudflare human-verification page. Rather than completing a normal CAPTCHA challenge, users are instructed to copy and paste a command into the Windows Run interface, a step that launches a multi-stage malware infection.

Security analysts warn that the approach exploits trust in established websites. Because the infected pages belong to organisations that appear legitimate, victims are less likely to suspect foul play. Once the malicious command is executed, the attacker installs an “infostealer” program designed to harvest sensitive information from the victim’s system, including login credentials, browser cookies, cryptocurrency wallet details and other confidential data.

The campaign appears to have been active in its current form since December 2025, although investigators say some of the supporting infrastructure—such as domains linked to the malware—was created earlier in 2025. Researchers believe the scale and automation involved suggest a coordinated operation rather than isolated attacks against individual websites.

Cybersecurity specialists say the attackers are likely exploiting common weaknesses in the WordPress ecosystem, which powers a large share of the world’s websites. Vulnerabilities in outdated plug-ins, insecure administrator credentials and unpatched themes can provide an entry point for attackers seeking to implant malicious code. Once access is gained, the criminals inject scripts into the site that trigger the fake verification prompt whenever a visitor loads the page.

Rapid7’s analysis indicates the malware chain deployed through the ClickFix mechanism operates largely in memory, allowing it to avoid detection by traditional file-based security tools. This technique means that even organisations with standard antivirus protections may struggle to identify the infection before data is stolen or the system becomes a gateway for further cyber-intrusions.

Infostealer malware has become a prominent tool in cybercrime networks, enabling attackers to collect large volumes of stolen credentials and sell them on underground marketplaces. These digital logs often contain access to corporate networks, email accounts and financial services platforms, providing criminals with opportunities for fraud, identity theft and espionage. Analysts say such data can also be used as an entry point for ransomware attacks or targeted corporate intrusions.

The ClickFix technique itself has grown rapidly within the cyber-threat landscape. Instead of exploiting software vulnerabilities directly, the method relies on psychological manipulation, convincing users that they must take immediate action to resolve an apparent technical problem. By framing the malicious command as part of a verification process or system fix, attackers bypass traditional security barriers and effectively persuade victims to compromise their own devices.

Security researchers note that this strategy reflects a broader shift in cyber-crime tactics, where social engineering is increasingly combined with compromised infrastructure to expand the reach of malware campaigns. Rather than building entirely new malicious websites, attackers now hijack trusted platforms that already attract regular traffic, allowing them to distribute malware at scale without raising suspicion.

The scope of the campaign highlights the continuing risks associated with outdated or poorly maintained web infrastructure. WordPress remains the dominant content-management system globally, powering millions of sites ranging from personal blogs to major media outlets and corporate portals. While the platform itself is regularly updated, security experts say administrators often fail to install patches or update plug-ins promptly, leaving gaps that attackers can exploit.

Researchers emphasise that the infection does not depend on visitors downloading files from suspicious sources. Simply interacting with the fraudulent verification prompt can trigger the malware delivery process, particularly if users follow the instructions to execute the provided command. Because the fake CAPTCHA resembles common anti-bot checks used across the internet, many visitors may comply without hesitation.

Cybersecurity teams are urging organisations that rely on WordPress to review security configurations, update plug-ins and monitor their websites for unusual scripts or redirections. Users are also advised to remain cautious when confronted with verification prompts that request manual commands or unusual steps, especially those involving system tools such as Windows Run or PowerShell.