Israel National Digital Agency Uncovers Global Cyberattack Campaign “ShadowCaptcha”

In August 2025, Israel National Digital Agency researchers uncovered an ongoing large-scale cybercrime campaign leveraging a ClickFix technique. The campaign uses a fake Cloudflare or Google CAPTCHA page to trick victims into executing malicious commands via compromised WordPress websites.

Retrospective analysis indicates the campaign has been active for at least the past year with the potential to impact thousands of organizations worldwide. Analysis uncovered over 100 compromised WordPress sites injected with malicious JavaScript redirecting to attacker-controlled infrastructure, and hundreds of malware samples spanning multiple families and variants.

The campaign, which we have dubbed ShadowCaptcha, blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems. The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks. This combination of tactics underscores its nature as an opportunistic financially motivated operation, blending social engineering, stealthy persistence, and monetization through both data theft and cryptomining.

If undetected, ShadowCaptcha can result in prolonged unauthorized access to internal systems, sustained cryptomining that degrades performance and increases operational costs, and large-scale exfiltration of sensitive data that could lead to reputational damage, regulatory penalties, and financial losses. The opportunistic nature of this campaign means that any internet-facing organization is a potential target, regardless of size or sector.

Given its scale and adaptability, we recommend creating detection and prevention rules targeting the TTPs detailed in this report, alongside awareness training for end-users to recognize and avoid the broader ClickFix social engineering technique, to reduce risk and prevent future incidents