Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
Essential information
- Published
- 21/05/2026 15:19
- Modified
- 21/05/2026 16:50
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- clickfix cloaking cve-2026-26980 fakecaptcha ghost cms information stealer installer.dll mass compromise notepadplusplus.dll sql injection utilifysetup.exe
- Tags
- 2026-05-21 CVE-2026-26980 clickfix cloaking fakecaptcha ghost cms information stealer installer.dll mass compromise notepadplusplus.dll sql injection utilifysetup.exe
- Related entities
- 1 vulnerabilities (cve), 28 indicators, 28 observables, 19 techniques (mitre), 3 malware, 23 others
Description
Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.