Recent findings from the Hudson Rock Threat Intelligence Team reveal a dangerous feedback loop. Credentials stolen by infostealer malware are being used to hijack legitimate business websites, which are then repurposed to distribute the same malware to new victims.
At the centre of this cycle is a social engineering technique known as “ClickFix”. Victims are lured to compromised but legitimate websites that display fake security warnings resembling Google reCAPTCHA checks or browser error messages. When users click these prompts, hidden JavaScript copies a PowerShell command to the clipboard. They are then instructed to press Windows plus R and paste the so called verification code. This action installs infostealer malware such as Lumma, Vidar or Stealc without triggering standard security controls.
Data from the ClickFix Hunter platform, which monitors more than 1600 active malicious domains, shows that 220 domains or about 13 percent are both running ClickFix campaigns and have exposed administrator credentials found in infostealer logs. These credentials often include access to WordPress admin dashboards, cPanel hosting panels and other content management systems.
One example cited is jrqsistemas.com. The site is currently hosting a ClickFix campaign, while intelligence records show its WordPress administrator credentials were earlier stolen by infostealer malware. Attackers used this access to upload malicious scripts, turning a genuine business website into a malware hosting platform. Similar activity was observed on wo.cementah.com.
This creates a self sustaining cycle. More infections lead to more stolen credentials. More credentials result in more compromised websites. These sites then expand the reach of ClickFix attacks, driving further infections.
Security experts warn that this decentralised infrastructure is difficult to disrupt because attackers operate through thousands of legitimate hosting providers rather than dedicated malicious servers. Even when large botnets are taken down, much of the infrastructure remains active.
The research highlights that modern malware campaigns increasingly exploit human behaviour rather than software flaws. Breaking the credential theft loop is now critical to stopping this expanding threat.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
