A critical SQL injection flaw in Ghost CMS has been weaponized by at least two threat actor groups to silently poison over 700 websites with ClickFix malware, putting unsuspecting visitors at serious risk.
The vulnerability, tracked as CVE-2026-26980, was publicly disclosed as early as February 19, 2026. Despite this, many Ghost CMS administrators failed to apply the available patch in time.
Attackers wasted little time, scanning for unpatched installations, stealing Admin API keys, and mass-modifying article content to serve malicious JavaScript loaders to anyone who visited those sites.
Researchers at Qianxin XLab first detected the poisoning activity on May 7, 2026, while investigating a compromise at one of their critical customers.
Qianxin said in a report shared with Cyber Security News that what initially appeared to be a targeted intrusion turned out to be a broad, automated campaign hitting Ghost CMS installations worldwide.
The attack chain was described as systematic, covering CMS takeover, page poisoning, two-stage payload loading, social engineering, and final malware delivery.
The scope of damage expanded rapidly. By May 10, researchers had confirmed 156 poisoned domains.
One week later, that number had ballooned to over 700, including websites operated by Harvard University, Oxford University, and Auburn University. The affected sites span dozens of industries including blockchain, AI, media, fintech, and security research.
What makes this campaign particularly dangerous is the level of trust users place in well-known websites. Visitors to compromised Ghost sites had no visible warning signs.
Ghost CMS Poisoning Incident Timeline (Source – Qianxin)
The poisoned articles looked completely normal, with the malicious code silently embedded at the bottom of each page, waiting to activate when a reader scrolled through.
Hackers Exploit Ghost CMS CVE-2026-26980
The vulnerability at the center of this campaign is a high-risk SQL injection flaw in Ghost CMS that allows unauthenticated attackers to read directly from the database, including the Admin API Key.
With that key in hand, attackers could call the Ghost Admin API to silently rewrite articles at scale, with no need to touch the admin panel or the server directly.
CVE IDTypeSeverityAffected ComponentImpactCVE-2026-26980SQL InjectionHighGhost CMSUnauthenticated Admin API Key extraction, mass article modification
Once the malicious JavaScript loader was planted, the attack unfolded in four stages. Stage one dropped the loader at the bottom of articles. Stage two redirected real visitors through a cloaking script that filtered out security researchers and bots.
More than 700 domains that have been poisoned (Source – Qianxin)
Stage three presented a convincing fake Cloudflare verification page, tricking users into pressing WIN+R, pasting a command, and hitting Enter. Stage four silently delivered and executed a data-stealing payload on the victim’s machine.
ClickFix Social Engineering and Payload Delivery
The fake verification page is what makes this campaign so effective against ordinary users. It mimics the widely recognized Cloudflare CAPTCHA interface down to the visual styling and wording.
When users click to verify, they unknowingly copy a malicious command to their clipboard and execute it themselves, all while believing they are simply proving they are human.
The payloads evolved as the campaign progressed. Early versions downloaded a DLL named installer.dll via a public CDN and launched it quietly using rundll32.
By May 16, attackers had upgraded to a zero-detection data-stealing Trojan called UtilifySetup.exe, which used an Electron-based framework to establish persistence and contact a command-and-control server every 30 seconds.
Attack Chain (Source – Qianxin)
A second threat actor group was also found running a parallel campaign through a loader delivered via NotepadPlusPlus.zip.
Qianxin XLab strongly recommends that all Ghost CMS administrators upgrade immediately to the patched version that resolves CVE-2026-26980.
Beyond upgrading, site owners should rotate all credentials including Admin API keys and administrator passwords, audit access logs for unusual bulk PUT requests, and scan article content for fingerprints such as ghost_once_footer_ or atob( combined with appendChild.
Visitors who may have accessed any affected Ghost site during the contamination window should run a full local security check on their devices.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomainclo4shara[.]xyzThreat Actor A – Stage 2 cloaking domain (first wave)Domaincloud-verification[.]comThreat Actor A – Fake Cloudflare verification page hostDomainjalwat[.]comThreat Actor A – Payload distribution serverDomaincom-apps[.]ccThreat Actor A – Updated cloaking domain and payload hostDomainweb-telegram[.]ugThreat Actor A – C2 server for UtilifySetup.exe (beacons every 30s)Domainstaticcloudflare[.]proThreat Actor B – Malicious CSS loader hostDomainscript-dev[.]digitalThreat Actor B – Malicious CSS loader hostDomainscript-dev[.]buzzThreat Actor B – Associated domainDomainupdatesecurity[.]proThreat Actor B – Associated domainDomainupdatefilescf[.]topThreat Actor B – Associated domainDomainstatic-file[.]digitalThreat Actor B – Associated domainDomaindownload-file[.]todayThreat Actor B – Associated domainDomainupdatefile-cf[.]digitalThreat Actor B – Associated domainDomainscript-dev[.]xyzThreat Actor B – Associated domainDomaincdnupdatenews[.]topThreat Actor B – Final payload download hostURLhttps://clo4shara[.]xyz/11z77u3.phpThreat Actor A – Stage 2 cloaking PHP scriptURLhttps://com-apps[.]cc/11z77u3.phpThreat Actor A – Updated Stage 2 cloaking PHP scriptURLhttps://platecrumbs[.]com/11z77u3.phpThreat Actor A – Alternate cloaking PHP scriptURLhttps://cloud-verification[.]com/update.zipThreat Actor A – Malicious ZIP payloadURLhttps://com-apps[.]cc/update.zipThreat Actor A – Malicious ZIP payload (updated)URLhttps://com-apps[.]cc/NotepadPlusPlus.zipThreat Actor A – NotepadPlusPlus lure ZIP payloadURLhttps://jalwat[.]com/static/uploads/campaigns/6/update.zipThreat Actor A – Early payload ZIP (May 7)URLhttps://taketwolabs[.]com/wp-content/NotepadPlusPlus.dllThreat Actor A – NotepadPlusPlus DLL download URLURLhttps://staticcloudflare[.]pro/api/css.jsThreat Actor B – Malicious JavaScript loaderURLhttps://script-dev[.]digital/api/css.jsThreat Actor B – Malicious JavaScript loaderURLhttps://cdnupdatenews[.]top/dl?fid=38Threat Actor B – Final payload download URLMD5 Hash5659292833ec421da11ebde005d9c9a8installer.dll – Stage 1 Rust DLL loader (May 7-9)MD5 Hashd30cc10d54ebc967c8538ff74f442eeeNotepadPlusPlus.dll – Stage 2 Rust DLL loader (May 16+)MD5 Hash18a7251ddde77ed24bc54700d84d9be1UtilifySetup.exe – Inno Setup Electron-based data-stealing TrojanMD5 Hashf280e12f51f996dae7fffc64a56ee527SuperAppizeSetup.msi – Associated installerMD5 Hashfceca579efcef09eb507c6ca977ea281css.js – Threat Actor B malicious JavaScript loaderFile Nameinstaller.dllRust-based DLL loader dropped to %TEMP%File Nameupdate.batBatch script for payload executionFile NameNotepadPlusPlus.dllRenamed installer DLL (Stage 2)File NameUtilifySetup.exeFinal Electron-based data-stealing Trojan payloadFile Namenotepadplusplus.jsJavaScript variant of loader (May 18 wave)IP Address144.31.236.66Threat Actor B – Resolved by staticcloudflare[.]pro and script-dev[.]digitalInjected Code Patternghost_once_footer_Threat Actor A – Fingerprint in poisoned article contentInjected Code Patternsj.ssc/ipa/Threat Actor B – Fingerprint in poisoned article content
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware appeared first on Cyber Security News.
