{
  "name": "Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks",
  "slug": "ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks",
  "description": "Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.",
  "published": "2026-05-21T13:19:35.593000+00:00",
  "created_at": "2026-05-21T16:50:42.061000+00:00",
  "modified_at": "2026-05-21T14:50:42+00:00",
  "created_at_opencti": "2026-05-21T16:50:42.061000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "clickfix",
    "cloaking",
    "cve-2026-26980",
    "fakecaptcha",
    "ghost cms",
    "information stealer",
    "installer.dll",
    "mass compromise",
    "notepadplusplus.dll",
    "sql injection",
    "utilifysetup.exe"
  ],
  "tags": [
    "2026-05-21",
    "CVE-2026-26980",
    "clickfix",
    "cloaking",
    "fakecaptcha",
    "ghost cms",
    "information stealer",
    "installer.dll",
    "mass compromise",
    "notepadplusplus.dll",
    "sql injection",
    "utilifysetup.exe"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "ac41817e-d412-4845-a377-20c99b1d17fa",
        "name": "cloud-verification.com"
      },
      {
        "id": "cd64307f-ab83-4630-a511-ae280b937029",
        "name": "https://com-apps.cc/11z77u3.php"
      },
      {
        "id": "04d902c7-b768-44c5-b822-d843059a032c",
        "name": "https://taketwolabs.com/wp-content/NotepadPlusPlus.dll"
      },
      {
        "id": "6bcd3127-fb56-4e1e-9cc9-dfc68861ea2a",
        "name": "clo4shara.xyz"
      },
      {
        "id": "8bb65af1-a100-4bb4-90cf-1f0a493272f8",
        "name": "https://cdnupdatenews.top/dl?fid=38"
      },
      {
        "id": "2984f54b-4d16-47c4-885c-d70d2b5880d6",
        "name": "web-telegram.ug"
      },
      {
        "id": "61c5bfe8-3c23-44c0-9598-23d0835d7b70",
        "name": "taketwolabs.com"
      },
      {
        "id": "bfa78b8f-70ef-4659-b53f-ee423c1b0271",
        "name": "script-dev.digital"
      },
      {
        "id": "f7d4e769-5da3-4f15-8832-887739a5fb27",
        "name": "https://cloud-verification.com/update.zip"
      },
      {
        "id": "9510acba-8971-46a9-b40e-cfaf8a74eaca",
        "name": "https://script-dev.digital/api/css.js"
      },
      {
        "id": "dd1269d4-5242-4585-9292-e27f255ab02f",
        "name": "download-file.today"
      },
      {
        "id": "dd2e1a20-688b-441d-8465-ecadf0970145",
        "name": "updatefile-cf.top"
      },
      {
        "id": "3944c952-0492-46e1-a282-76a577d0f93e",
        "name": "https://clo4shara.xyz/11z77u3.php"
      },
      {
        "id": "3d182a49-0283-41a5-ba20-2e496d01099e",
        "name": "https://jalwat.com/static/uploads/campaigns/6/update.zip"
      },
      {
        "id": "79e309c3-e47a-41dc-a6ee-39e95406546d",
        "name": "cdnupdatenews.top"
      },
      {
        "id": "40ece826-a0a1-4c6f-a900-00076c54f8e4",
        "name": "updatesecurity.pro"
      },
      {
        "id": "2f8a2ce6-78ff-4ae0-9916-cbca8d45dd78",
        "name": "https://com-apps.cc/NotepadPlusPlus.zip"
      },
      {
        "id": "d44dd881-2dde-42a8-b79f-6679ec54ee3d",
        "name": "com-apps.cc"
      },
      {
        "id": "ab0cb78b-0f53-44c7-b7b3-2af3c69eaa55",
        "name": "https://platecrumbs.com/11z77u3.php"
      },
      {
        "id": "17c73a6b-8c17-4636-9762-36997157eb6a",
        "name": "https://com-apps.cc/update.zip"
      },
      {
        "id": "5fc0f0a5-88b9-4413-8413-ae5c429e2540",
        "name": "jalwat.com"
      },
      {
        "id": "68d461ab-c048-4f9c-9f62-1704ae778ade",
        "name": "script-dev.buzz"
      },
      {
        "id": "b7a76ea5-bae9-4d69-b12b-c536f08e6fb3",
        "name": "platecrumbs.com"
      },
      {
        "id": "393b972b-444d-4e6c-8deb-4be3fc65cd00",
        "name": "script-dev.xyz"
      },
      {
        "id": "e74e0013-cd5f-4aaa-b818-8052c7dd89ef",
        "name": "https://staticcloudflare.pro/api/css.js"
      },
      {
        "id": "336eb47c-4887-4993-9dd8-bf05e76f4819",
        "name": "updatefilescf.top"
      },
      {
        "id": "2141bce7-fefa-4f27-a468-5f2bae581f66",
        "name": "staticcloudflare.pro"
      },
      {
        "id": "70cf145b-206e-4ae9-8dfe-fa7e51b948ae",
        "name": "static-file.digital"
      }
    ],
    "attack_patterns": [
      {
        "id": "79525d9e-3824-4347-a471-7dcea20fd864",
        "name": "T1583.006"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "6b7df637-ffba-4104-b70e-5bd05637d0f6",
        "name": "T1212"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "malware": [
      {
        "id": "1794074e-954f-46da-b40b-ee014575a5f6",
        "name": "NotepadPlusPlus.dll",
        "slug": "notepadplusplusdll"
      },
      {
        "id": "d2c1478b-f560-44cd-bf00-1de34796fb93",
        "name": "UtilifySetup.exe",
        "slug": "utilifysetupexe"
      },
      {
        "id": "55125105-e64b-43ca-a1e3-01b0642746ac",
        "name": "installer.dll",
        "slug": "installerdll"
      }
    ],
    "observables": [
      {
        "id": "54a95c08-9309-4241-9565-409c35590db9",
        "name": "script-dev.buzz"
      },
      {
        "id": "b496709f-c9f7-47fe-9023-98ed245a8630",
        "name": "script-dev.digital"
      },
      {
        "id": "dd739dd4-6a8d-4f36-9280-32d0c70fb583",
        "name": "taketwolabs.com"
      },
      {
        "id": "1fdca976-70e0-4029-95aa-58fc75fe95d0",
        "name": "staticcloudflare.pro"
      },
      {
        "id": "a46bb935-7166-4ad2-8a13-13cb3efaf6ea",
        "name": "updatefile-cf.top"
      },
      {
        "id": "e2730528-d7a6-4c0f-b32e-7e097b5716b2",
        "name": "clo4shara.xyz"
      },
      {
        "id": "c157d55c-2f44-4722-afb9-dbe19cc048a4",
        "name": "script-dev.xyz"
      },
      {
        "id": "636e2b27-2171-4415-9800-56ea18acba39",
        "name": "com-apps.cc"
      },
      {
        "id": "d861e202-c27a-42a2-b6eb-8cc6382a1126",
        "name": "updatefilescf.top"
      },
      {
        "id": "28b03679-1eaf-4f10-9fd5-a9888ffff762",
        "name": "cdnupdatenews.top"
      },
      {
        "id": "f1c85b3d-3bd9-4cff-b782-61eac6a34b06",
        "name": "jalwat.com"
      },
      {
        "id": "e3675e4f-94d1-49b4-ad6b-eb2aea8385b9",
        "name": "platecrumbs.com"
      },
      {
        "id": "9a7f3f70-6ad5-4a75-b330-89bc5d00bde0",
        "name": "static-file.digital"
      },
      {
        "id": "ac457404-4bfc-4eb6-8d63-924bf7f070cf",
        "name": "cloud-verification.com"
      },
      {
        "id": "b18d8278-bb3f-44ef-a049-5f6d65535ab5",
        "name": "updatesecurity.pro"
      },
      {
        "id": "98b04356-5502-4fbb-95f5-acd333f58bcc",
        "name": "web-telegram.ug"
      },
      {
        "id": "9258f408-ff5f-4e63-a574-b5495be5161a",
        "name": "download-file.today"
      },
      {
        "id": "6300d75f-705e-423b-8550-68524ade39f9",
        "name": "https://script-dev.digital/api/css.js"
      },
      {
        "id": "30784f4b-dbef-4e75-abba-28c498a21a49",
        "name": "https://cloud-verification.com/update.zip"
      },
      {
        "id": "3c9dc174-f447-4c97-b732-2b377e51015a",
        "name": "https://platecrumbs.com/11z77u3.php"
      },
      {
        "id": "4e64ba25-5feb-4a1d-8235-1d3d4b7b93f3",
        "name": "https://com-apps.cc/update.zip"
      },
      {
        "id": "ea13b795-f240-4b6f-8a40-db4ba3aab2f9",
        "name": "https://com-apps.cc/11z77u3.php"
      },
      {
        "id": "de1fd96c-b982-4c78-a05b-edd3ab36a2f9",
        "name": "https://taketwolabs.com/wp-content/NotepadPlusPlus.dll"
      },
      {
        "id": "c0d72b47-def4-4c91-b106-4f7167efd5f5",
        "name": "https://clo4shara.xyz/11z77u3.php"
      },
      {
        "id": "147ac3d4-2dde-4192-af05-31997a970673",
        "name": "https://staticcloudflare.pro/api/css.js"
      },
      {
        "id": "c07610c4-1925-44a4-a584-5c61b51c1051",
        "name": "https://com-apps.cc/NotepadPlusPlus.zip"
      },
      {
        "id": "8076fbf9-5f9d-44ce-b4b5-812776e5325f",
        "name": "https://cdnupdatenews.top/dl?fid=38"
      },
      {
        "id": "e3f9cc4c-4a04-40ef-a0a2-21e9a9dba947",
        "name": "https://jalwat.com/static/uploads/campaigns/6/update.zip"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Health"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Medias and audiovisual"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "cloud-verification.com"
      },
      {
        "id": "",
        "name": "clo4shara.xyz"
      },
      {
        "id": "",
        "name": "web-telegram.ug"
      },
      {
        "id": "",
        "name": "taketwolabs.com"
      },
      {
        "id": "",
        "name": "script-dev.digital"
      },
      {
        "id": "",
        "name": "download-file.today"
      },
      {
        "id": "",
        "name": "updatefile-cf.top"
      },
      {
        "id": "",
        "name": "cdnupdatenews.top"
      },
      {
        "id": "",
        "name": "updatesecurity.pro"
      },
      {
        "id": "",
        "name": "com-apps.cc"
      },
      {
        "id": "",
        "name": "jalwat.com"
      },
      {
        "id": "",
        "name": "script-dev.buzz"
      },
      {
        "id": "",
        "name": "platecrumbs.com"
      },
      {
        "id": "",
        "name": "script-dev.xyz"
      },
      {
        "id": "",
        "name": "updatefilescf.top"
      },
      {
        "id": "",
        "name": "staticcloudflare.pro"
      },
      {
        "id": "",
        "name": "static-file.digital"
      }
    ]
  },
  "external_refs": [
    {
      "id": "e30bc25f-91c8-4c30-b0d8-646001cc896c",
      "standard_id": "external-reference--83925cf2-e9fc-5671-8dea-1cd7d9733ccf",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a0f06676dfe8431915ed38a",
      "hash": null,
      "external_id": "6a0f06676dfe8431915ed38a",
      "created": "2026-05-21T16:50:39.403Z",
      "modified": "2026-05-21T16:50:39.403Z",
      "createdById": null
    },
    {
      "id": "6609c833-1c3d-40d8-94d2-d49923de7bf8",
      "standard_id": "external-reference--cc7d0708-a21c-5e95-9eef-f545942cc014",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/",
      "hash": null,
      "external_id": null,
      "created": "2026-05-21T16:50:39.444Z",
      "modified": "2026-05-21T16:50:39.444Z",
      "createdById": null
    }
  ]
}