Illicit JavaScript code was injected into the hacked WordPress sites to facilitate redirection to bogus pages.
Information-stealing malware, ransomware, and cryptominers have been distributed through more than 100 breached WordPress sites around the world as part of the new ShadowCaptcha cybercrime campaign.
According to researchers from the Israel National Digital Agency and reported by The Hacker News, illicit JavaScript code was injected into the hacked WordPress sites. This facilitates redirection to bogus Cloudflare or Google CAPTCHA pages, that use either the Windows Run dialog, or prompts the saving and execution of the webpage as an HTML Application. The former resulted in the delivery of the Rhadamanthys and Lumma infostealers and the latter leading to the deployment of Epsilon Red ransomware.
XMRig-based cryptominers were deployed in other ShadowCaptcha campaigns.
"ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations,” said researchers. “By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware."
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
