Threat actors are actively leveraging a recently disclosed critical security flaw in the popular Ghost Content Management System (CMS) to inject malicious JavaScript code, fueling a large-scale "ClickFix" attack campaign that has already compromised over 700 websites across diverse sectors. The campaign, which began to be detected on May 7, 2026, exploits CVE-2026-26980, a severe SQL injection vulnerability, to gain unauthorized access to administrative API keys and subsequently poison legitimate web content.
The Vulnerability: CVE-2026-26980 Detailed
At the heart of this extensive compromise lies CVE-2026-26980, an SQL injection vulnerability with a high CVSS score of 9.4, indicating its critical severity. This flaw resides within Ghost’s Content API, a component designed to facilitate data interaction for front-end content delivery. Crucially, the vulnerability allows an unauthenticated attacker – meaning an attacker without any prior legitimate access credentials – to read arbitrary data directly from the underlying database.
The vulnerability’s discovery by Anthropic, utilizing its advanced AI model Claude, earlier in 2026, highlighted the increasing role of artificial intelligence in identifying complex security flaws. Ghost developers promptly addressed the issue, releasing a patch in February 2026 with version 6.19.1. However, the window between the patch release and the observed exploitation underscores the persistent challenge of timely updates across the vast landscape of web infrastructure. Security experts consistently warn that even after a patch is available, many organizations lag in deployment, creating an exploitable gap for threat actors.
What elevates CVE-2026-26980 from a mere data leak to a critical attack vector is its specific impact on Ghost’s administrative capabilities. Successful exploitation grants attackers unauthorized access to a site’s Admin API key. This key is a powerful credential, designed to invoke the Ghost Admin API, which possesses the authority to directly modify, publish, or delete articles and other content within the CMS. With this key in hand, an attacker effectively gains control over the public-facing content of a compromised Ghost instance, transforming it into a vehicle for malicious distribution.
Anatomy of the ClickFix Campaign
According to detailed findings published by Chinese cybersecurity firm QiAnXin XLab, the current campaign meticulously leverages this administrative control. Threat actors, upon obtaining the Admin API key, proceed to use the Ghost Admin API to tamper with articles in bulk. Their primary objective is to inject malicious JavaScript loaders at the bottom of web pages. This strategic placement ensures that the malicious code is loaded every time a user accesses an article on the compromised site, preparing the ground for subsequent "fake CAPTCHA attacks" and the ultimate delivery of malware.
The attack architecture is sophisticated, employing a two-stage loader design for enhanced flexibility and resilience. The initial JavaScript injected into the compromised articles functions as a lightweight script whose sole purpose is to retrieve the main malicious payload at runtime. This payload is fetched from an external command-and-control (C2) domain, specifically identified as clo4shara[.]xyz/11z77u3.php. This modular approach allows the threat actors to dynamically swap out different payloads based on various criteria, such as the victim’s geographic location, operating system, or browser, without needing to modify the initial loader script on each compromised site. This flexibility makes the campaign highly adaptable and difficult to fully neutralize by simply blocking a single payload.
Cloaking and Evasion Techniques
A critical component of this campaign’s stealth and effectiveness is the use of advanced cloaking techniques. XLab researchers discovered that directly accessing clo4shara[.]xyz/11z77u3.php reveals a "typical traffic distribution script." This script’s core function is to meticulously collect various fingerprinting information from the user’s browser, including details about their IP address, user agent, browser plugins, and potentially even system fonts or timezone settings. This gathered data is then uploaded to the attacker’s server.
The server, in turn, utilizes this fingerprint information to make a crucial determination: Is the visitor a legitimate target, or a security researcher, a web crawler, or an automated scanner? This sophisticated filtering mechanism, powered by a commercial cloaking service known as Adspect, ensures that only real victims are served the actual malicious payload. Security scanners, on the other hand, are presented with benign content, effectively hiding the malicious activity and prolonging the campaign’s lifespan. Adspect, as highlighted in previous security reports, is a notorious service frequently employed by cybercriminals to bypass ad fraud detection and deliver malware, illustrating the commercialization of tools that facilitate cyberattacks.
Beyond simple redirection, the cloaking script embedded within the C2 infrastructure supports a robust set of 19 different commands. These commands enable the threat actor to execute arbitrary JavaScript code remotely, granting them a significant degree of control over the victim’s browser. This capability allows for highly dynamic and targeted attacks, ranging from displaying deceptive content to initiating downloads or further data exfiltration, all managed from a centralized attacker interface.
Victim Engagement and Payload Delivery
For site visitors identified as legitimate targets by the cloaking script, the attack proceeds to its next stage. Users are presented with a deceptive fake CAPTCHA verification page, typically rendered within an iframe HTML element on the compromised website. This fake CAPTCHA serves as a social engineering lure, designed to trick users into believing they must prove they are human to proceed.
The "ClickFix" attack mechanism then fully unfolds. Instead of a typical CAPTCHA challenge, victims are instructed to copy and paste a Base64-encoded command into the Windows Run dialog box. This instruction is a critical and highly dangerous step. When executed, this command acts as an initial dropper. It retrieves a ZIP archive from a remote location, extracts its contents, and then runs a Windows batch script.
The batch script, in turn, executes a PowerShell command. This PowerShell command is engineered to download a Dynamic Link Library (DLL) file from another remote domain. Once downloaded, the DLL is launched using rundll32.exe, a legitimate Windows utility often abused by malware to execute malicious code. To distract the user and conceal the underlying malicious activity, the attack concurrently opens a bogus web page in the user’s browser.
Subsequent iterations of the malware observed by XLab indicate an evolving attack methodology, with threat actors replacing the DLL payload with a JavaScript payload in some instances. Regardless of the initial payload type (DLL or JavaScript), the ultimate objective remains consistent: to drop a persistent Windows executable onto the victim’s system. In cases involving the DLL, the final executable was identified as a modified PuTTY client, notably carrying a valid code-signing certificate – a tactic used to lend legitimacy and evade security software. When the JavaScript payload was employed, the delivered executable was found to be an Inno Setup installer for an Electron application.
This Electron application is a modified version of the open-source Grape desktop client. Once installed, it is designed to achieve persistence on the victim’s machine, ensuring it survives system reboots. The malicious Grape client then establishes a persistent communication channel with a remote server, web-telegram[.]ug, polling it every 30 seconds. This continuous polling allows the attackers to issue various instructions to the compromised client, including running arbitrary JavaScript code or executing other files, effectively granting them remote control over the victim’s system.
Broad Reach and Impact
QiAnXin XLab has characterized this operation as a "large-scale poisoning" campaign, emphasizing the significant breadth of its impact. The analysis suggests that at least two distinct threat clusters are operating concurrently, indicating a well-organized and coordinated effort. In some observed cases, the speed of compromise was alarming, with certain sites being implanted with malicious code within a single day of initial compromise.
The campaign’s scale is substantial, with more than 700 websites confirmed to have been compromised since its detection on May 7, 2026. The diversity of affected sectors highlights the indiscriminate nature of the attack and the broad appeal of Ghost CMS across various industries. Compromised entities span prestigious universities (including specific mentions like Harvard.edu, which could imply a sub-domain or a related entity within the university’s ecosystem), blockchain technology firms, artificial intelligence research platforms, Software-as-a-Service (SaaS) providers, security research organizations, media outlets, and financial technology companies.
The compromise of such a wide array of legitimate and often reputable websites carries significant implications. As XLab notes, the fact that these legitimate sites have been breached and are now serving malware is likely to "further increase the success rate of the ClickFix attacks." Users are generally more trusting of content from established institutions and familiar news sources. This inherent trust can lead them to overlook warning signs or comply with seemingly innocuous requests, such as copying and pasting a command, making them highly susceptible to the sophisticated social engineering tactics employed in this campaign. The damage extends beyond direct malware infection to a broader erosion of trust in the digital content ecosystem.
Industry Response and Mitigation
In light of these active exploits, the cybersecurity community and Ghost CMS developers are urging immediate action. Ghost CMS users are strongly advised to upgrade their instances to the latest available version, specifically 6.19.1 or newer, if they have not already done so. This patch is critical for remediating CVE-2026-26980 and preventing initial compromise.
Beyond patching, a comprehensive security response is paramount for any potentially affected organization. This includes:
- Rotating all credentials: Admin API keys, database credentials, and any other sensitive access tokens should be immediately changed, as they may have been exfiltrated.
- Cleaning up compromised sites: A thorough audit and removal of all injected malicious JavaScript code are necessary. This may involve restoring from clean backups if the extent of compromise is unclear.
- Auditing access logs: Scrutinizing server and CMS access logs for signs of suspicious activity, especially around the period of May 7, 2026, and onwards, can help identify the initial compromise vector and any further unauthorized actions.
- Notifying users: Organizations whose websites were compromised during the contamination period should consider notifying their users about potential exposure and advising them to scan their systems for malware, particularly if they engaged with any unusual prompts or commands while visiting the affected sites.
The incident serves as a stark reminder of the critical importance of a proactive security posture. Regular patching, robust credential management, continuous security monitoring, and user education are foundational elements in defending against sophisticated, multi-stage attacks that combine technical exploitation with social engineering.
The Evolving Threat Landscape
This widespread ClickFix campaign underscores several critical trends in the evolving cybersecurity threat landscape. Firstly, the rapid weaponization of newly disclosed vulnerabilities, even after patches are released, highlights the "patch gap" challenge. Organizations must not only be aware of vulnerabilities but also implement rapid deployment mechanisms for security updates. Secondly, the increasing sophistication of attack chains, involving multi-stage loaders, commercial cloaking services like Adspect, and diverse payload delivery mechanisms, demonstrates attackers’ commitment to evasion and persistence.
The use of AI, like Anthropic’s Claude, in vulnerability discovery is a double-edged sword; while it aids in finding and fixing flaws, it also points to a future where AI might be increasingly leveraged by attackers themselves. Lastly, the targeting of legitimate, high-trust websites for malware distribution represents a significant threat to user confidence and the integrity of online information. As more of our lives move online, the security of content management systems and the vigilance of both administrators and users become paramount in the ongoing battle against cybercrime.
