CP
cyberpings
Malware & RansomwareHIGH

Malicious WordPress Sites Spread Stealer Malware Globally

R7Rapid7 BlogΒ·Reporting by Milan Spinka
πŸ“° 2 sourcesΒ·Summary by CyberPings EditorialΒ·AI-assistedΒ·Reviewed by Rohit Rana
Updated:
🎯

Basically, hackers are using trusted websites to spread malware that steals your information.

Quick Summary

A wave of compromised WordPress sites is spreading malware globally. Over 250 trusted websites have been infected, putting user data at risk. Stay vigilant and ensure your online security measures are updated.

What Happened

Imagine visiting a trusted website, only to find it has been hijacked by hackers. This is exactly what's happening with over 250 legitimate WordPress sites that have been compromised to spread malware. Rapid7 Labs uncovered a campaign where an unidentified threat actor is injecting a fake Cloudflare human verification challenge, known as ClickFix, to trick users into downloading malware. Once infected, the malware can steal sensitive information like passwords and digital wallet details from Windows systems.

This malware campaign has been active since December 2025, but its infrastructure dates back even further. The infected sites span at least 12 countries, including the US, UK, Germany, and India. Some of these sites are even regional news outlets or official pages of political candidates. This makes the threat particularly dangerous because users are more likely to trust these sites, thinking they are safe to visit.

Why Should You Care

You might think that only shady websites pose a risk, but this incident shows that even trusted sites can be compromised. If you visit one of these infected sites, you could unknowingly download malware that steals your credentials. Think of it like getting a virus from a seemingly healthy apple; it looks good on the outside, but inside, it’s rotten.

This is not just a problem for individuals; organizations can also be targeted. If hackers steal your company's credentials, they could access sensitive data or conduct financial theft. Staying vigilant online is crucial, especially when browsing sites that seem trustworthy. Always question the legitimacy of what you see online.

What's Being Done

Rapid7 is actively monitoring this situation and has published a detailed analysis of the malware infection chain. They have also released a list of Indicators of Compromise (IoCs) and detection rules to help organizations defend against this threat. Here are some immediate actions to consider:

  • Check if your website is on the list of compromised sites.
  • Update your security measures to detect and block this malware.
  • Educate your team about the risks of visiting seemingly safe websites.

Experts are keeping an eye on how this campaign evolves and whether more websites will be targeted. The key takeaway is to stay informed and proactive about your online safety.

πŸ”’ Pro insight: The use of trusted domains for malware distribution highlights a significant shift in threat actor tactics, necessitating enhanced vigilance in web security measures.

Original article from

R7Rapid7 BlogΒ· Milan Spinka
Read Full Article

Also covered by

THThe Register Security

Crooks compromise WordPress sites to push infostealers via fake CAPTCHA prompts

Read Article
MAMalwarebytes Labs

Hacked sites deliver Vidar infostealer to Windows users

Read Article

Share

Related Pings

HIGHMalware & Ransomware

Malware Newsletter Round 91 - Latest Threats and Insights

The latest malware newsletter reveals new threats like Infiniti Stealer and npm supply chain attacks. Developers and organizations must stay alert to evolving risks in cybersecurity.

Security AffairsΒ·
HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security AffairsΒ·
HIGHMalware & Ransomware

Axios NPM Package Compromised - Supply Chain Attack Exposed

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

Trend Micro ResearchΒ·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC MediaΒ·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC MediaΒ·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security NewsΒ·