As per a report published by Israel’s National Digital Agency, the malware campaign “ShadowCaptcha” is using in excess of 100 WordPress sites to deliver a harmful payload. The campaign identified as tech, healthcare, legal, hospitality, and real estate-focused hit target first in August 2025. Also, this was previous to a campaign that originated States. Countries like Canada, Brazil, Australia, England, Israel, Colombia have been covered.
Attackers insert malicious code causing visitors to be sent to fake CAPTCHA pages with harmful consequences for victims. The frauds ultimately deploy ransomware, info-stealers, and crypto-miners using ClickFix, a social-engineering trick, on these malicious pages.
It’s not clear how exactly the infiltration happened, but experts suspect the attackers accessed the site using known plugin vulnerabilities or a hacked WordPress admin password. In some cases, fake CAPTCHAs are executed after the fact when a malware that is some Woo-commerce type plugin is installed after the compromise.
Mitigation Strategies Include:
- WordPress to be updated to the latest version as the latest version in security free.
- Turn on multi-factor authentication (MFA) at all levels , if required implement a Bot Shield by Deep Algorithm or Cloud flare by Cloud flare Inc
- Teaching Users to Identify Fake CAPTCHA/Redirection Attacks.
- Segregating networks to restrict sideward navigation after a compromise.
Why does CAPTCHA matter for us?
CAPTCHA stands for Completely Automated Public Turing Test, a process identify / differentiate between human users and bot or application users. They prevent spam, brute force attacks, and automated scraping of data on the given website.
Various forms of CAPTCHA include.
- Distorted text or characters.
- Example of image based challenge: Select all traffic lights.
- It includes analysis of behavioural based systems that work in the background.
CAPTCHA’s are widely used in various digitisation projects, for example, reCAPTCHA helps digitise books and newspapers.
The Threat of Fake CAPTCHAs:
Fake CAPTCHA schemes are being increasingly weaponised by cybercriminals taking advantage of its familiarity pattern. These schemes typically imitate real prompts (“I’m not a robot”) but mislead victims into executing malware.
Tactics used by fake CAPTCHA attacks.
- One potential abuse could prompt users to open up the Windows Run (Win + R) and paste the contents of clipboard (Ctrl + V) before executing the command (Enter) that silently installs malware.
- Add fake CAPTCHA challenges to legit site or from a phishing link. Often the page copies malicious commands to the clipboard without highlighting the activity.
- Using these fake prompts, this malware like info stealers, remote access trojans, ransomware, and crypto miners is delivered.
According to Harvard’s HP Wolf Security, malware cybercriminals are increasingly using fake CAPTCHA to be human for device exploitation. Trend Micro and other companies have reported similar tactics, in which no CAPTCHA screens trick users to execute malicious scripts or files.
Staying Safe from Fake CAPTCHA Malware Scams:
void suspicious CAPTCHA Requests.
- Do not have faith in CAPTCHA pages that ask you to:
- Launch the Run dialogue by pressing the Shortcut key Win and R.
- Use commands you copied and pasted in clipboard
- Run any script or action on the machine.
Verify the website source.
- Verify the website’s domain and authenticity before entering any captcha to avoid fraud.
- Watch out if a new page loads or the CAPTCHA looks too easy.
Keep your software updated.
- Always keep your browser, operating system , antivirus, and firewall up to date.
- Update all plugins, themes and the main system for WordPress sites.
- Disable or delete any unused plugins.
Use strong authentication.
- Multi-Factor Authentication for admin accounts is a must
- Use unique and strong password often having combination special characters, numerical and letters that both small and capital
Educate and stay aware.
- ClickFix and other social engineering are explained.
- Let your colleagues and family members know about the issue, by posting as WhatsApp Status
- If a page is not seeming legitimate and forcing you do something, don’t hesitate to leave.
Limit damage with good practices.
- Isolate network access to contain a possible breach.
- Website admins should use least-privilege access.
