{
	"id": "2dde5cca-3abd-4437-8293-a3d51852f1af",
	"created_at": "2026-04-06T00:13:03.600667Z",
	"updated_at": "2026-04-10T03:20:47.451606Z",
	"deleted_at": null,
	"sha1_hash": "5797af5d769f7994e279233dcd2d3cf5399e9480",
	"title": "Fake CAPTCHA scam targets 2,353 WordPress sites, warns CyberCX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36385,
	"plain_text": "Fake CAPTCHA scam targets 2,353 WordPress sites, warns\r\nCyberCX\r\nBy Shannon Williams\r\nPublished: 2025-06-03 · Archived: 2026-04-05 12:42:25 UTC\r\nCyberCX has issued a warning to Australians regarding a phishing campaign targeting WordPress websites\r\nthrough the use of fake CAPTCHA prompts.\r\nThe campaign, referred to as DarkEngine, involves threat actors embedding fraudulent CAPTCHA prompts into\r\nlegitimate WordPress sites, putting website users at risk of various types of malware, including information\r\nstealers and remote access tools.\r\nAccording to CyberCX, at least 2,353 unique websites have been identified as likely compromised by this\r\ncampaign, with 82 of these belonging to organisations in Australia and New Zealand. Within Australia, the\r\naffected websites are predominantly small to medium-sized businesses, spanning a range of sectors from strip\r\nclubs to educational platforms for children.\r\nThe DarkEngine campaign employs a multi-layered approach. Initially, the perpetrator creates convincing replicas\r\nof WP Engine, a management tool widely used by businesses to oversee their WordPress websites. By leveraging\r\na technique known as search engine optimisation (SEO) poisoning, the threat actor is able to position fake WP\r\nEngine links above legitimate ones in Google search results. As a result, genuine WP Engine login credentials\r\nfrom website administrators can be harvested and subsequently used to take control of the affected websites to\r\ninject fake CAPTCHA prompts.\r\nThe campaign's intention is to reach the vast number of visitors to these compromised websites, exposing them to\r\nthe risk of malware infection through socially engineered prompts.\r\nKatherine Mansted, Executive Director of CyberCX Intelligence, commented on the sophistication of the\r\ncampaign: \"This threat actor is a savvy, highly capable and well-resourced financially-motivated criminal. They\r\nare operating a scaled operation here, gaining access to thousands of real websites and infecting them with\r\nmalware that hits unsuspecting internet users.\r\n\"Fake CAPTCHA is an increasingly common technique criminals use to infect Australians' computers with\r\nmalware. They look similar to real CAPTCHAs – a way to test whether a website visitor is a real person or a bot –\r\nbut prompt the unsuspecting user to run malicious commands, potentially allowing criminals to gain remote\r\naccess to their computers.\r\n\"Never follow a CAPTCHA command that requires you to copy and paste text and be vigilant for any unexpected\r\ndownloads after completing a CAPTCHA. Along with unusual URLs, pop-ups and poorly designed CAPTCHA\r\nformats, these are the tell-tail signs of a fake CAPTCHA.\"\r\nhttps://securitybrief.com.au/story/fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx\r\nPage 1 of 2\n\nThe fraudulent CAPTCHA prompts associated with DarkEngine are described as a variation of ClickFix, a social\r\nengineering tactic aimed at manipulating users into executing malicious instructions. These techniques have\r\nconnections to activities used by recognised financially motivated cyber crime groups.\r\nCyberCX Intelligence has stated that it has been reaching out to organisations whose websites have been affected\r\nas part of an effort to improve the security of digital communities.\r\nThe organisation has provided several recommendations for website administrators and organisations. WP Engine\r\nadministrators are advised to audit account activity logs for unexpected logins, particularly those originating from\r\nunfamiliar proxy services and VPNs. WordPress site administrators should check for any signs of unexpected\r\nplugins, content injections within theme files, and successful requests containing keywords such as\r\n\"emergency_login\", \"check_plugin\", and \"urlchange\".\r\nAdditionally, CyberCX stresses the importance of educating staff about ClickFix techniques, such as fake\r\nCAPTCHA, and the risks posed by SEO manipulation potentially leading them to engage with malicious sites.\r\nOrganisations are also encouraged to consider providing reputable password managers to staff, which can help\r\nalert users if the site they are visiting is not legitimate.\r\nSource: https://securitybrief.com.au/story/fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx\r\nhttps://securitybrief.com.au/story/fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securitybrief.com.au/story/fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx"
	],
	"report_names": [
		"fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5797af5d769f7994e279233dcd2d3cf5399e9480.pdf",
		"text": "https://archive.orkl.eu/5797af5d769f7994e279233dcd2d3cf5399e9480.txt",
		"img": "https://archive.orkl.eu/5797af5d769f7994e279233dcd2d3cf5399e9480.jpg"
	}
}