Cyber-security researchers at Israel’s National Digital Agency have uncovered a large-scale operation dubbed “ShadowCaptcha” that has hijacked more than 100 WordPress sites since August 2025. Injected JavaScript on the compromised sites silently diverts visitors to spoofed Cloudflare or Google CAPTCHA pages, a social-engineering ploy known as the ClickFix tactic. Once on the fake verification page, victims are prompted to paste or run commands that trigger multi-stage payloads. One branch downloads MSI installers that drop the Lumma and Rhadamanthys information-stealing trojans; another saves an HTML Application that installs the Epsilon Red ransomware. Select variants also load an XMRig crypto-miner and the vulnerable WinRing0x64.sys driver to obtain kernel-level privileges and boost mining efficiency. The campaign has struck technology, hospitality, legal, finance, healthcare and real-estate sites, with most infected servers located in Australia, Brazil, Italy, Canada, Colombia and Israel. Investigators believe the attackers gained access through known plugin vulnerabilities and, in some cases, stolen administrator credentials. Security teams are urged to patch WordPress cores and plugins promptly, enforce multi-factor authentication on administrative accounts, segment internal networks and educate users on detecting fake CAPTCHA prompts. Analysts warn that ShadowCaptcha exemplifies how social-engineering lures are evolving into full-spectrum attacks combining credential theft, ransomware and illicit crypto-mining.