Ghost CMS Flaw Exploited in Massive ClickFix Campaign Targeting 700+ Websites

Hackers abused a critical Ghost CMS vulnerability to inject malicious code into trusted websites and launch stealthy ClickFix malware attacks.

Attackers Exploit Critical Ghost CMS Vulnerability

Cybercriminals are actively exploiting a critical flaw in Ghost CMS to compromise legitimate websites and spread malware through ClickFix attacks.

The vulnerability, tracked as CVE-2026-26980, has a CVSS score of 9.4. Attackers can exploit the flaw without authentication. They can then access sensitive database information, including the Admin API Key.

Once attackers obtain the key, they can directly modify website content. They also inject malicious JavaScript into published articles and web pages.

More Than 700 Websites Compromised

Researchers discovered that attackers compromised more than 700 websites during the campaign. The victims included universities, AI companies, blockchain firms, SaaS providers, media platforms, fintech organizations, and cybersecurity websites.

The attackers inserted malicious JavaScript loaders at the bottom of website pages. These loaders silently fetched additional payloads from attacker-controlled servers during runtime.

This method gave threat actors more flexibility. They could change payloads quickly without modifying the original injected code again.

Cloaking Helps Attackers Avoid Detection

The attackers also used cloaking technology powered by Adspect. This technique allowed them to hide malicious activity from automated scanners and security crawlers.

Meanwhile, real visitors received harmful content and fake verification prompts. As a result, the campaign stayed active longer and avoided early detection.

Researchers said the malicious infrastructure supported multiple commands. It could run JavaScript, redirect users, open fake pages, and deliver malware dynamically.

Fake CAPTCHA Pages Deliver Malware

Victims eventually encountered fake CAPTCHA verification pages. These pages instructed users to copy and execute commands through the Windows Run dialog.

This attack method is known as ClickFix. Instead of exploiting software directly, attackers trick users into infecting their own systems.

Once executed, the malicious command downloaded ZIP archives, PowerShell scripts, DLL payloads, and JavaScript loaders. Some variants also used signed binaries and Electron-based applications to evade security tools.

Malware Establishes Persistence on Devices

Researchers observed one payload using a modified version of the open-source Grape desktop client. The malware contacted attacker-controlled servers every 30 seconds and waited for commands.

The attackers could then execute files, run scripts, and deploy additional malware on infected devices.

This behavior allowed long-term access and remote control over compromised systems.

Organizations Must Patch Immediately

The campaign highlights the growing danger of unpatched CMS platforms and exposed API credentials. Attackers increasingly target trusted websites because they improve social engineering success rates.

Organizations using Ghost CMS should immediately upgrade to the latest patched version. Security teams should also rotate credentials, inspect websites for malicious scripts, and review logs for suspicious API activity.

Additionally, businesses should notify users who may have visited compromised pages during the attack period.

The incident also shows how modern cybercriminals combine web exploitation, cloaking, social engineering, and malware delivery into a single attack chain. Therefore, organizations must strengthen both technical defenses and cybersecurity awareness programs to reduce risk.