How to Protect Against the WordPress ClickFix Campaign Targeting Credentials and Digital Wallets
Executive Summary
Rapid7 Labs has identified a widespread compromise of legitimate WordPress websites that are being used to deliver a ClickFix implant impersonating Cloudflare's CAPTCHA. This sophisticated campaign ultimately aims to steal credentials and digital wallets from Windows systems, posing a significant risk to organizations and their users.
Introduction
Trusted websites turning malicious is a nightmare scenario for security professionals. Recent research by Rapid7 Labs has uncovered an ongoing, global campaign where legitimate, often highly trusted WordPress websites are being compromised to deliver malware to unsuspecting visitors. The attackers have developed a sophisticated attack chain that begins with what appears to be a Cloudflare human verification challenge (CAPTCHA) but is actually a malicious ClickFix implant designed to steal credentials and digital wallets from Windows systems.
This campaign has been active in its current form since December 2025, with some of the infrastructure dating back to July/August 2025. The stolen credentials can be used for immediate financial theft or to conduct further, more targeted attacks against organizations. Security teams need to understand this threat and implement defensive measures to protect their organizations.
Technical Analysis
The campaign involves the compromise of legitimate WordPress websites, which are then used to distribute the ClickFix implant. The attack chain operates as follows:
-
Initial Compromise: Attackers gain unauthorized access to WordPress websites through unknown means, potentially exploiting vulnerabilities, using stolen credentials, or leveraging weak authentication.
-
Malicious Content Injection: Once compromised, the websites are injected with malicious scripts that display a fake Cloudflare human verification (CAPTCHA) challenge to visitors.
-
ClickFix Implant: When visitors attempt to complete the CAPTCHA challenge, they inadvertently execute the ClickFix implant, a multi-stage malicious software chain designed to evade detection.
-
Payload Delivery: The ClickFix implant eventually delivers a payload that targets Windows systems, specifically designed to:
- Steal browser-stored credentials
- Extract digital wallet information
- Establish persistence on infected systems
- Exfiltrate stolen data to attacker-controlled servers
The campaign's use of legitimate websites as delivery mechanisms and the sophisticated impersonation of Cloudflare's CAPTCHA interface make it particularly effective at bypassing traditional security controls and user awareness training.
The impact of this campaign extends beyond individual credential theft, as the stolen credentials can be used to:
- Conduct financial fraud
- Initiate more targeted attacks against organizations
- Move laterally within compromised networks
- Exfiltrate sensitive corporate data
Defensive Monitoring
To protect against this WordPress ClickFix campaign, organizations should implement the following defensive monitoring measures:
KQL Queries for Microsoft Sentinel/Defender
To detect potential ClickFix implant activity in your environment:
// Detect PowerShell execution patterns associated with ClickFix
DeviceProcessEvents
| where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Invoke-Expression"
or ProcessCommandLine has "IEX"
or ProcessCommandLine has "DownloadString"
| where ProcessCommandLine has "cloudflare"
or ProcessCommandLine has "captcha"
or ProcessCommandLine has "verify"
| summarize count(), make_set(ProcessCommandLine) by DeviceId, Timestamp
| order by Timestamp desc
// Detect unusual network connections to known malicious domains
DeviceNetworkEvents
| where RemoteUrl contains "cloudflare" and RemoteUrl !contains "cloudflare.com"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "mshta.exe")
| summarize count(), make_set(RemoteUrl) by DeviceId, Timestamp
| order by Timestamp desc
// Detect suspicious file creation patterns
DeviceFileEvents
| where InitiatingProcessFileName in ("powershell.exe", "mshta.exe", "regsvr32.exe")
| where FileName endswith ".js" or FileName endswith ".vbs" or FileName endswith ".hta"
| whereFolderPath contains "AppData" orFolderPath contains "Temp"
| summarize count(), make_set(FileName) by DeviceId, Timestamp
| order by Timestamp desc
PowerShell Scripts for Detection
To scan endpoints for signs of ClickFix implant:
# Script to check for suspicious PowerShell execution history
function Check-ClickFixIndicators {
param (
[string]$ComputerName = $env:COMPUTERNAME
)
# Check for suspicious PowerShell history
$historyPath = "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
if (Test-Path $historyPath) {
$historyContent = Get-Content $historyPath -ErrorAction SilentlyContinue
$suspiciousCommands = @(
"cloudflare", "captcha", "verify", "ClickFix"
)
$foundSuspicious = $false
foreach ($command in $suspiciousCommands) {
if ($historyContent -match $command) {
Write-Host "Suspicious command found in history: $command" -ForegroundColor Yellow
$foundSuspicious = $true
}
}
if (-not $foundSuspicious) {
Write-Host "No suspicious commands found in PowerShell history." -ForegroundColor Green
}
}
# Check for suspicious scheduled tasks
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Actions.Execute -like "*powershell*" -and
($_.Actions.Arguments -like "*cloudflare*" -or
$_.Actions.Arguments -like "*captcha*")
}
if ($suspiciousTasks) {
Write-Host "Suspicious scheduled tasks found:" -ForegroundColor Yellow
$suspiciousTasks | ForEach-Object { Write-Host $_.TaskName }
} else {
Write-Host "No suspicious scheduled tasks found." -ForegroundColor Green
}
# Check browser data directories for suspicious extensions
$browserPaths = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions",
"$env:APPDATA\Mozilla\Firefox\Profiles\*\extensions"
)
foreach ($path in $browserPaths) {
if (Test-Path $path) {
Write-Host "Checking browser extensions in: $path"
Get-ChildItem -Path $path -Directory | ForEach-Object {
$manifestPath = "$($_.FullName)\manifest."
if (Test-Path $manifestPath) {
$manifest = Get-Content $manifestPath -Raw | ConvertFrom-Json
if ($manifest.name -match "cloudflare" -or $manifest.name -match "captcha") {
Write-Host "Suspicious extension found: $($manifest.name)" -ForegroundColor Yellow
}
}
}
}
}
}
# Execute the function
Check-ClickFixIndicators
Remediation
To protect your organization against the WordPress ClickFix campaign, implement the following remediation steps:
For Organizations Managing WordPress Sites
-
Conduct a Security Audit:
- Scan all WordPress installations for known vulnerabilities using tools like WPScan or the Wordfence Security Plugin
- Review all installed plugins and themes for suspicious or unauthorized additions
- Audit user accounts and remove any suspicious or unnecessary administrative accounts
-
Implement Hardening Measures:
- Ensure all WordPress core, plugins, and themes are updated to the latest versions
- Implement Web Application Firewall (WAF) rules to detect and block malicious script injections
- Enable file integrity monitoring to detect unauthorized modifications to WordPress files
- Use security headers to reduce the risk of content injection attacks
-
Implement Content Security Policy (CSP):
# Example Apache configuration for CSP
<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; object-src 'none'; frame-ancestors 'self';"
</IfModule>
4. **Regular Backups**:
- Maintain regular, automated backups of WordPress installations
- Verify backup integrity regularly
- Store backups in a secure, offline location
For Endpoints and User Protection
-
Browser Security:
- Deploy browser extensions that detect and block malicious scripts
- Configure browsers to block pop-ups and suspicious redirects
- Implement browser isolation solutions for high-risk users
-
Endpoint Protection:
- Ensure all endpoints have updated antivirus/anti-malware software
- Deploy endpoint detection and response (EDR) solutions to detect unusual behavior
- Implement application control to restrict the execution of suspicious scripts
-
User Education:
- Train users to recognize suspicious CAPTCHA challenges, especially on unexpected websites
- Encourage users to verify unusual CAPTCHA challenges by checking the URL carefully
- Remind users never to download files or execute scripts prompted by CAPTCHA challenges
-
Network Security:
- Implement DNS filtering to block known malicious domains
- Use SSL inspection to detect and block malicious content in encrypted traffic
- Segment networks to limit the spread of potential infections
Incident Response Preparation
-
Develop Detection Signatures:
- Create YARA rules to detect ClickFix implant components
- Implement custom detection rules in your SIEM for indicators of compromise
- Regularly update detection signatures based on threat intelligence
-
Establish Response Procedures:
- Develop a clear incident response plan for WordPress compromise scenarios
- Define roles and responsibilities for responding to web-based threats
- Establish communication channels for reporting suspicious activity
-
Post-Incident Recovery:
- Create a checklist of steps to follow if a compromise is detected
- Determine criteria for taking compromised systems offline
- Define procedures for investigating the scope and impact of the compromise
By implementing these defensive measures, organizations can significantly reduce their risk from the WordPress ClickFix campaign and similar threats that exploit trusted web infrastructure to deliver malicious payloads.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.