When Trusted Websites Turn Malicious WordPress Compromises A...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation
• Blog Title: When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation
• Suggested Section: Pentesting Web -> XSS (Cross Site Scripting) / Misc JS Tricks & Relevant Info (stealth JS loaders, bot/admin evasion, anti-prettify checks) and Windows Hardening -> Windows Local Privilege Escalation / Post-Exploitation (fileless PowerShell shellcode execution, CreateThread injection patterns) or a new short note under Generic Hacking -> Exfiltration/Initial Access social-engineering (ClickFix clipboard/PowerShell).

🎯 Content Summary

Title/Scope (what this post is about)
Rapid7 Labs analyzed a widespread compromise of legitimate WordPress websites that were altered to deliver a ClickFix social-engineering “implant” masquerading as a Cloudflare human verification (CAPTCHA). The goal is to trick visitors into running PowerShell that executes a multi-stage, mostly in-memory loader chain culminating in Windows credential + crypto ...

🔧 Technical Details

Conditional malicious JS loader hidden from WordPress admins
A compromised WordPress site can embed a “benign-looking” loader (e.g., fake performance optimizer) that only executes for non-admin visitors by checking for the wordpress_logged_in_ cookie. The loader may keep a Base64-encoded list of attacker endpoints, decode them with atob(), then synchronously request remote JS via XMLHttpRequest.open('GET', url, false) and inject the first successful response into document.head. This allows dynamic payload rotation while reducing chances of admins observing the malicious behavior.

Stealthy browser-side staging via admin-ajax + selective evasion + eval()
A compromised WordPress instance can expose an endpoint such as /wp-admin/admin-ajax.php?action=ajjs_run and only fetch it if the request looks like a real user session. Evasion gates can include: blocking WordPress/...

🤖 Agent Actions

Summary:

1. Added a Rapid7 2026 WordPress ClickFix chain section covering stealth loaders, anti-analysis bypass, fileless PowerShell shellcode execution, DoubleDonut staging, and hunting pivots.
2. Extended references with the Rapid7 blog and related tooling/source links used in the new section.

Files modified:

• src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

Tests not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (Cross Site Scripting) / Misc JS Tricks & Relevant Info (stealth JS loaders, bot/admin evasion, anti-prettify checks) and Windows Hardening -> Windows Local Privilege Escalation / Post-Exploitation (fileless PowerShell shellcode execution, CreateThread injection patterns) or a new short note under Generic Hacking -> Exfiltration/Initial Access social-engineering (ClickFix clipboard/PowerShell).".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0