By Derek Johnston, LTH Cybersecurity

An Active Campaign Hiding in Plain Sight

During a recent incident response engagement, LTH Cybersecurity uncovered an active WordPress malware campaign affecting more than 53 websites across multiple industries and countries.

What makes this campaign particularly interesting is that it monetizes victims in two different ways simultaneously:

The result is a highly profitable operation that remains largely invisible to many automated scanners and website owners.

At the time of writing, much of the infrastructure remains undetected by common threat intelligence platforms.

How the Campaign Works

The compromise begins with malicious code injected into WordPress sites.

For normal visitors, every page loads an obfuscated JavaScript loader embedded directly within the site’s HTML. The loader:

  1. Decodes a WebAssembly (WASM) module.
  2. Retrieves an SVG file from attacker-controlled infrastructure.
  3. Extracts a hidden URL using zero-width Unicode steganography.
  4. Dynamically loads a final-stage JavaScript payload disguised as a legitimate Bootstrap library.

The attackers use multiple layers of indirection to conceal the true payload location and evade static analysis.

Meanwhile, search engine crawlers receive something entirely different.

A malicious PHP gate embedded in WordPress configuration files detects crawler user agents and fetches a remote gambling landing page from attacker-controlled infrastructure. Instead of seeing the legitimate website, search engines index a fully functional Indonesian gambling portal branded as:

KEMBANGTOTO : Salinan Terbaru Situs Toto 4D Sector Bandar Slot Toto Macau Pasaran Baru

This creates thousands of search-engine spam pages while remaining invisible to normal users.

Understanding ClickFix

ClickFix has rapidly emerged as one of the most successful social-engineering techniques used by threat actors since 2024.

Rather than exploiting software vulnerabilities directly, ClickFix relies on convincing users to execute malicious commands themselves.

Victims are shown fake browser errors, CAPTCHA pages, update prompts, or security warnings that instruct them to copy and paste commands into PowerShell, Terminal, or Run dialogs.

Recent ClickFix campaigns have been linked to malware families including:

In this campaign, the ClickFix infrastructure is heavily obfuscated and selectively delivers payloads based on environmental conditions.

A related sample has already been identified by malware analysis platforms as belonging to the ClickFix ecosystem.

Why Detection Is So Difficult

Several characteristics help this campaign evade detection:

Selective Delivery

The final payload often returns benign content when accessed by scanners or researchers.

WebAssembly Abuse

Traditional security products frequently focus on JavaScript signatures. By moving key logic into WebAssembly, attackers significantly reduce visibility.

Unicode Steganography

Critical URLs are hidden inside SVG files using invisible Unicode characters, making them difficult to detect through conventional inspection.

Search Engine Cloaking

The gambling pages are only delivered to crawler user agents. Security scans performed from standard browsers may never see the malicious content.

Distributed Infrastructure

The operation uses multiple domains, cloud providers, and legitimate third-party services, complicating infrastructure-based blocking.

Affected Sites and Common Themes

The campaign has impacted:

Although victim organizations vary widely, a common pattern emerged during investigation:

Outdated WordPress themes and plugins.

One of the initial compromised sites was running an outdated version of the Motors theme while also exposing plugins frequently associated with historical exploitation activity.

While attribution remains unclear, vulnerable WordPress components remain the most likely initial access vector.

Infrastructure Observed

SEO Spam Infrastructure

ClickFix Infrastructure

Many of the domains were registered through Dynadot and protected behind Cloudflare.

What Defenders Should Check Immediately

If you manage a WordPress website, consider the following steps:

1. Inspect wp-config.php

Review the file carefully for unauthorized PHP code, particularly after the:

/* That's all, stop editing! Happy publishing. */

marker.

2. Audit Administrative Accounts

Review all WordPress administrators and investigate accounts created outside normal onboarding periods.

3. Update Themes and Plugins

Prioritize updates for:

4. Rotate Credentials

5. Check Google Search Console

Look for:

6. Test with Search Engine User Agents

Many infections only reveal themselves when accessed as a crawler.

7. Review Server Logs

Look for unusual outbound requests to unfamiliar domains and suspicious modifications to WordPress core files.

The Bigger Picture

This campaign highlights how modern WordPress compromises have evolved beyond simple website defacement.

Threat actors increasingly combine multiple monetization strategies within a single infection:

The KEMBANGTOTO and ClickFix operation demonstrates how attackers can generate revenue from both human visitors and search engine crawlers while remaining largely hidden from traditional detection methods.

As of this writing, the campaign remains active and continues to affect websites worldwide.

Organizations relying solely on automated scanning tools may never realize they have been compromised.

Need Help Investigating?

LTH Cybersecurity provides:

If you suspect your website may be affected by this campaign, visit lthcybersecurity.com for assistance.

About the Author

Derek Johnston is the founder of LTH Cybersecurity, a Canadian cybersecurity consultancy specializing in penetration testing, incident response, and security hardening for organizations across North America.

Active WordPress Campaign Hits 53+ Sites with ClickFix Malware and Gambling SEO Spam was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.