A large-scale cybercrime campaign targeting WordPress websites has been uncovered, with attackers luring unsuspecting visitors into installing malware through fake CAPTCHA verification pages. The campaign, dubbed ShadowCaptcha by the Israel National Digital Agency, has compromised over 100 WordPress sites since August 2025 and is being described as a sophisticated blend of social engineering, multi-stage payload delivery, and living-off-the-land techniques.
Fake CAPTCHA Pages Deliver Multiple Threats
According to security researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman, ShadowCaptcha’s operators redirect visitors of hacked WordPress sites to counterfeit Google or Cloudflare CAPTCHA pages. Victims are tricked through the ClickFix tactic, which prompts them either to use the Windows Run dialogue or to save and execute a malicious HTML Application (HTA) file.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
The infection chain leads to the deployment of Lumma and Rhadamanthys information stealers, Epsilon Red ransomware, or XMRig cryptocurrency miners. The campaign leverages advanced evasion methods, including anti-debugging scripts, DLL side-loading, and the abuse of vulnerable drivers such as WinRing0x64.sys to enhance mining efficiency.
ShadowCaptcha also automates the use of the victim’s clipboard by copying malicious commands with JavaScript, exploiting human error to execute harmful payloads without direct interaction.
Expanding Global Footprint and Linked Operations
The majority of affected WordPress sites are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning sectors such as hospitality, healthcare, finance, and real estate. Security experts warn that the campaign not only threatens individuals with data theft but also exposes businesses to severe operational and reputational risks.
The findings coincide with GoDaddy’s disclosure on the evolution of Help TDS, a traffic distribution system active since 2017. TDS operators have recently deployed a malicious WordPress plugin named woocommerce_inputs, disguised as WooCommerce, to redirect visitors to fraudulent pages. This plugin has been discovered on more than 10,000 websites worldwide, enabling credential harvesting, geographic filtering, and advanced redirection.
Researchers say that both ShadowCaptcha and Help TDS highlight the growing commercialization of malware services targeting WordPress ecosystems. To mitigate risk, experts recommend strict patching, multi-factor authentication, network segmentation, and user training against social engineering threats like ClickFix.