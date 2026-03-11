Rapid7 uncovers large-scale WordPress hijacking campaign

Fake Cloudflare CAPTCHA tricks visitors into running malware

More than 250 sites compromised, including a US Senate candidate’s page

Cybercriminals are hijacking vulnerable WordPress websites left and right and turning them into launchpads for malware deployment, experts have warned.

Security researchers Rapid7 claim to have spotted an ongoing, automated, large-scale campaign that even affected an unnamed US Senate candidate.

As per the researchers, the crooks first scan the web for vulnerable WordPress websites. There can be a myriad of things, from default or poor admin login credentials to unpatched themes and WordPress plugins with widely available exploit solutions, that are being used to gain initial access.

Deploying an infostealer

The campaign likely started in December 2025 and has so far affected more than 250 websites around the world.

Once inside, the crooks would do their best not to raise any alarms. Nothing on the site actually gets changed - the only thing they do is add a fake Cloudflare CAPTCHA at first visit. This is such a common, usual practice these days that most people don’t think twice about it, they just complete the puzzle, confirm they’re not a robot, and go about their day.

But the manner in which users are asked to solve the CAPTCHA should be a huge red flag. Instead of clicking a box or sliding a slider, they are asked to copy and paste a command into Windows Run, in classic ClickFix fashion.

So, instead of proving they’re human, the visitors end up downloading and running malware themselves. In this case, an infostealer designed to exfiltrate login credentials, authentication cookies, cryptocurrency wallet information, and other sensitive data.

Rapid7 says the campaign is likely highly automated and doesn’t target any specific industry. Regional media outlets, small business websites, and even a US Senate candidate’s official webpage, were among the confirmed cases.

"The large-scale execution of the compromise across completely unrelated WordPress instances suggests a high level of automation by the threat actor and is likely part of an organized long-term criminal effort," Rapid7 said in its report.

