Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites.

“Site visitors get injected content that was drive-by malware like fake Cloudflare verification,” Sucuri researcher Puja Srivastava said in an analysis published last week.

The website security company said it began an investigation after one of its customer’s WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file (“functions.php”).

The code inserted into “functions.php” incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain “brazilc[.]com,” which, in turn, responds with a dynamic payload that includes two components –

• A JavaScript file hosted on a remote server (“porsasystem[.]com”), which, as of writing, has been referenced on 17 websites and contains code to perform site redirects
• A piece of JavaScript code that creates a hidden, 1×1 pixel iframe, within which it injects code that mimics legitimate Cloudflare assets like “cdn-cgi/challenge-platform/scripts/jsd/main.js” – an API that’s a core part of its bot detection and challenge platform

It’s worth noting that the domain “porsasystem[.]com” has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124).

According to information shared by an account named “monitorsg” on Mastodon on September 19, 2025, the infection chain starts with users visiting a compromised site, resulting in the execution of “porsasystem[.]com/6m9x.js,” which then leads to “porsasystem[.]com/js.php” to eventually take the victims to ClickFix-style pages for malware distribution.

The findings illustrate the need for securing WordPress sites and ensuring that plugins, themes, and website software are kept up-to-date, enforcing strong passwords, scanning the sites for anomalies and unexpected administrator accounts created for maintaining persistent access even after the malware is detected and removed.

“This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page commonly deployed by Content Delivery Networks (CDNs) and cloud security providers to defend against automated threats,” security researcher Amer Elsad said. “The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.”

The bespoke phishing pages also come with capabilities to manipulate the clipboard, a crucial step in the ClickFix attack, as well as detect the operating system used in order to tailor the infection sequence and serve compatible malware.

In at least two different cases, threat actors have been detected using pages generated using the kit to deploy information stealers such as DeerStealer and Odyssey Stealer, the latter of which is designed to target Apple macOS systems.

The emergence of the IUAM ClickFix Generator adds to a prior alert from Microsoft warning of a rise in commercial ClickFix builders on underground forums since late 2024. Another notable example of a phishing kit that has integrated the offering is Impact Solutions.

“The kits offer creation of landing pages with a variety of available lures, including Cloudflare,” Microsoft noted back in August 2025. “They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence.”

It goes without saying that these tools further lower the barrier to entry for cybercriminals, enabling them to mount sophisticated, multi-platform attacks at scale without much effort or technical expertise.

ClickFix Becomes Stealthy via Cache Smuggling

The findings also follow the discovery of a new campaign that has innovated on the ClickFix attack formula by employing a sneaky technique referred to as cache smuggling to fly under the radar as opposed to explicitly downloading any malicious files on the target host.

“This campaign differs from previous ClickFix variants in that the malicious script does not download any files or communicate with the internet,” Expel Principal Threat Researcher Marcus Hutchins said. “This is achieved by using the browser’s cache to pre-emptively store arbitrary data onto the user’s machine.”

In the attack documented by the cybersecurity company, the ClickFix-themed page masquerades as a Fortinet VPN Compliance Checker, using FileFix tactics to deceive users into launching the Windows File Explorer and pasting a malicious command into the address bar to trigger the execution of the payload.

The invisible command is designed to run a PowerShell script via conhost.exe. What makes the script stand apart is that it does not download any additional malware or communicate with an attacker-controlled server. Instead, it executes an obfuscated payload that passes off as a JPEG image and is already cached by the browser when the user lands on the phishing page.

“Neither the web page nor the PowerShell script explicitly downloads any files,” Hutchins explained. “By simply letting the browser cache the fake ‘image,’ the malware is able to get an entire zip file onto the local system without the PowerShell command needing to make any web requests.”

“The implications of this technique are concerning, as cache smuggling may offer a way to evade protections that would otherwise catch malicious files as they are downloaded and executed. An innocuous-looking ‘image/jpeg’ file is downloaded, only to have its contents extracted and then executed via a PowerShell command hidden in a ClickFix phishing lure.”