EXECUTIVE SUMMARY
The attack, attributed to an in-the-wild threat group, exploits the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to steal the Admin API Key, which is used to tamper with article content in bulk. The attackers inject malicious JavaScript at the bottom of articles, creating a two-stage loader that downloads and executes a stealer trojan. The loader uses a commercial Cloaking service provider to dynamically switch content based on the visitor's identity, and the stealer trojan uses Electron to achieve persistence and send POST requests to a remote server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The attack, attributed to an in-the-wild threat group, exploits the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to steal the Admin API Key, which is used to tamper with article content in bulk. The attackers inject malicious JavaScript at the bottom of articles, creating a two-stage loader that downloads and executes a stealer trojan. The loader uses a commercial Cloaking service provider to dynamically switch content based on the visitor's identity, and the stealer trojan uses Electron to achieve persistence and send POST requests to a remote server.[emaillocker id="1283"]
The attackers have been actively conducting poisoning operations, targeting multiple industries and regions, and have even engaged in competition with each other, with different malicious code being implanted on the same site. The malware infection vector is the exploitation of the CVE-2026-26980 vulnerability in Ghost CMS, which allows the attackers to obtain the Admin API Key without authorization. Once inside, the malware creates a two-stage loader that downloads and executes a stealer trojan, which uses Electron to achieve persistence and send POST requests to a remote server.
The attackers maintain control through the use of a commercial Cloaking service provider, which dynamically switches content based on the visitor's identity. The malware also uses a stealer trojan to steal sensitive information and send it to the attackers' remote server. The threat posed by this attack is significant, as it can lead to the theft of sensitive information, disruption of business operations, and damage to the reputation of affected organizations. The malware is difficult to detect and recover from, as it uses a two-stage loader and a stealer trojan to achieve persistence and send POST requests to a remote server. To defend against this threat, organizations should patch and upgrade their Ghost CMS installations, rotate all credentials, clean up implanted content, audit access logs, and notify users who may have visited the site during the contamination period.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1204 | User Execution | — |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1212 | Exploitation for Credential Access | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Impact | T1491 | Defacement | — |
REFERENCES:
reports contain further technical details:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/