Mass Compromise of Ghost CMS via CVE-2026-26980 Enables Large-Scale ClickFix Operations

Published Date: May 27, 2026
Category: ShadowOpsIntel
Share:

At least two unrelated threat actors are exploiting CVE-2026-26980, an unauthenticated SQL injection in Ghost CMS, to steal Admin API keys and bulk-inject malicious JavaScript loaders into article bodies. The injected loaders drive visitors through a FakeCaptcha / ClickFix social-engineering chain (spoofed Cloudflare “Verify you are human” page → Win+R → Ctrl+V → Enter), ultimately delivering a Rust-based DLL loader and, in the latest stage, an Electron-based stealer/RAT (UtilifySetup.exe) with zero VT detections at time of reporting. 700+ domains are confirmed compromised, including Harvard, Oxford, Auburn, DuckDuckGo’s blog, EuroPython Society, and assets in fintech, AI/SaaS, and Web3.

Severity: Critical

Vulnerability Overview

  • CVE: CVE-2026-26980
  • CVSS Score: 9.4
  • Product: Ghost CMS (vulnerable versions 3.24.0 – 6.19.0)
  • Class: Pre-auth SQL injection via slugFilterOrder (raw SQL CASE, no parameter binding)
  • Vector: GET /ghost/api/content/tags/ with crafted filter=slug:[…] payload
  • Impact: Read arbitrary DB contents → exfiltrate users table (email, bcrypt, role) and api_keys table (Admin API key id + secret)

Attack Chain

Threat Actor A primary

  1. Recon – locate vulnerable Ghost instances (v3.24.0–6.19.0)
  2. SQLi – extract Admin API key id + secret
  3. Persistence on CMS – sign JWT, push <script> loader to post bodies via Admin API
  4. Stage-1 loader – small JS appends a <script> whose src is base64-decoded (atob) and tagged with btoa(origin) so the C2 can fingerprint source site. New variant uses localStorage key ghost_once_footer_<hash> for one-shot execution.
  5. Cloaking / TDS – clo4shara[.]xyz/11z77u3.php (later com-apps[.]cc/11z77u3.php). Code is from commercial cloaker Adspect; fingerprints WebGL vendor/renderer, timezone, touch events, console tampering, frame status, etc.; supports 19 actions (local, fetch, proxy, 301–307, iframe, form, php, js/eval).
  6. FakeCaptcha – iframe action loads cloud-verification[.]com, spoof Cloudflare challenge instructing user to run Win+R → Ctrl+V → Enter. setTimeout(500) silently downloads update.zip; clipboard primed with base64 dropper.
  7. Dropper – cmd /c “move … tar -xf … start /min update.bat” (disguised with fake reCAPTCHA ID comment)
  8. Stage-2 – update.bat / NotepadPlusPlus.cmd uses powershell -W 1 + iwr to fetch DLL from Storj CDN (link.storjshare[.]io) or taketwolabs[.]com/wp-content/; executes via rundll32 … Begin; opens decoy page (YouTube, IPLogger, bc[.]ax/Supp.html)

Threat Actor B (secondary)

  1. Observed re-infecting victims after Actor A’s payload was cleaned (e.g., bitsy.ai, Harvard International Review hit again within 24h).
  2. Injected JS uses reverse-string obfuscation; loads /api/css.js from rotating .pro / .digital / .buzz / .top / .xyz domains, many resolving to 144.31.236[.]66.
  3. ClickFix variant uses PowerShell + Win+X flow; clipboard payload is hex-encoded, XOR’d with key h2QHiVI.
  4. Decrypted PowerShell fetches https[:]//cdnupdatenews[.]top/dl?fid=38 (payload not captured).
  5. ~500 related domains discoverable via /api/css.js URI pivot on VT; some attributed to Aeternum.

Victimology

  • Affected Sectors: universities, blockchain, AI/SaaS, security research, media, NGO, art, travel, health, gaming, fintech, agritech, e-commerce, podcast, automotive, legal, etc.
  • Named Victims: Harvard (hir.harvard.edu), Oxford, Auburn University, DuckDuckGo Spread Privacy blog, EuroPython Society, Hanlon Financial Systems Center, Ippon Technologies, celestia.org blog, etc.

Recommendations

  1. Patch Ghost CMS to the fixed release immediately.
  2. Rotate all credentials: Admin API key, Content API key, admin passwords, active sessions.
  3. Purge injected <script> at the database layer (editor view alone is insufficient).
  4. Retain ≥30 days of Admin API logs; run retro-hunt against IoCs.
  5. Notify users who visited during the contamination window to perform endpoint checks.
  6. Enforce Windows Defender Application Control (WDAC) or AppLocker rules that block rundll32.exe execution of DLLs from user-writable paths (%TEMP%, %AppData%), and block unsigned Electron apps from running outside Program Files.
  7. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/af9bd72bfcc0ca49ab4d6bbca890065cd24cdc43b3fb8b94b44c6d9ba47d27df/iocs

Source:

  • https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
  • https://www.malwarebytes.com/blog/bugs/2026/05/700-education-and-tech-websites-hijacked-in-huge-clickfix-malware-campaign

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert