(qianxin.com) Large-Scale Compromise of Ghost CMS via CVE-2026-26980 Fuels ClickFix Malware Campaigns
Active exploitation of CVE-2026-26980 (Ghost CMS SQLi) enables large-scale ClickFix malware campaigns via Admin API key theft and article poisoning.
In brief - Attackers exploit CVE-2026-26980 to steal Ghost CMS Admin API keys, injecting malicious JavaScript into 700+ sites. Users are tricked via FakeCaptcha/ClickFix into executing stealer trojans (Rust/Electron-based). Two threat actor groups compete in this automated, multi-stage campaign.
Technically - CVE-2026-26980 (SQLi) allows unauthenticated Admin API key exfiltration. Malicious JS (two-stage loader) decodes base64 URLs to fetch cloaking scripts (e.g., clo4shara[.]xyz), redirecting victims to forged Cloudflare pages. Payloads include installer.dll (Rust) and UtilifySetup.exe (Electron), with persistence. Attackers use dynamic C2 domains (e.g., com-apps[.]cc) and cloaking to evade detection.
Source: https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-05-21 12:42:34 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-05-21 12:42:34 UTCEvent JSON
{
"id": "a1c5aa35863d23f4d50f6c01e9ed8e9d79d2c660af19faeb3b6e773073ff6e9c",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1779367354,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116612618922061210",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116612618922061210",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116612618922061210",
"pink.momostr"
],
[
"-"
]
],
"content": "(qianxin.com) Large-Scale Compromise of Ghost CMS via CVE-2026-26980 Fuels ClickFix Malware Campaigns\n\nActive exploitation of CVE-2026-26980 (Ghost CMS SQLi) enables large-scale ClickFix malware campaigns via Admin API key theft and article poisoning.\n\nIn brief - Attackers exploit CVE-2026-26980 to steal Ghost CMS Admin API keys, injecting malicious JavaScript into 700+ sites. Users are tricked via FakeCaptcha/ClickFix into executing stealer trojans (Rust/Electron-based). Two threat actor groups compete in this automated, multi-stage campaign.\n\nTechnically - CVE-2026-26980 (SQLi) allows unauthenticated Admin API key exfiltration. Malicious JS (two-stage loader) decodes base64 URLs to fetch cloaking scripts (e.g., clo4shara[.]xyz), redirecting victims to forged Cloudflare pages. Payloads include installer.dll (Rust) and UtilifySetup.exe (Electron), with persistence. Attackers use dynamic C2 domains (e.g., com-apps[.]cc) and cloaking to evade detection.\n\nSource: https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/\n\n#Cybersecurity #ThreatIntel",
"sig": "46440bd31c4c61e7c4273208ad8969589c0d32bb2049fe7a10402d98a5559c339043cdf5c015131cc951a431f690a13246fd900baaa12addccbc074788710cb0"
}