216.73.217.80

Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks

· Published 21/05/2026 15:19 · Modified 21/05/2026 16:50

Export JSON

Essential information

Published
21/05/2026 15:19
Modified
21/05/2026 16:50
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
clickfix cloaking cve-2026-26980 fakecaptcha ghost cms information stealer installer.dll mass compromise notepadplusplus.dll sql injection utilifysetup.exe
Tags
2026-05-21 CVE-2026-26980 clickfix cloaking fakecaptcha ghost cms information stealer installer.dll mass compromise notepadplusplus.dll sql injection utilifysetup.exe
Related entities
1 vulnerabilities (cve), 28 indicators, 28 observables, 19 techniques (mitre), 3 malware, 23 others

Description

Attackers exploited , a critical vulnerability in , to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage scripts, and social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of -type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.

External references