Cybersecurity researchers have uncovered this big attack campaign that takes aim at a critical flaw in Ghost CMS and then ends up compromising hundreds of websites, sorta sneaking in malicious code that’s tied to ClickFix attacks.
The problem, catalogued as CVE-2026-26980, is a high-severity SQL injection weakness; in other words, it hits Ghost CMS directly. Researchers report that adversaries used it to gain unauthorized access to admin API keys. Once they have those keys, they can tweak website content and also insert nasty JavaScript into published articles, not just in drafts.
They also mention that the vulnerability got patched earlier in 2026, but threat actors still moved fast and kept going after any unpatched installs. In fact, investigators say over 700 websites across a bunch of different areas, including universities, AI platforms, blockchain projects, SaaS providers, fintech companies, and media orgs, got hit.
The attackers reportedly used the stolen admin API keys to tuck in some hidden JavaScript loaders at the bottom of website pages, sort of quietly. Those loaders then pulled extra payloads from attacker-controlled infrastructure during runtime, which gave the whole campaign more flexibility to tweak malicious behavior without having to re-touch the compromised sites again each time.
Researchers also noted that the malicious backend relied on cloaking techniques to dodge detection. Instead of handing out malware right away to every single visitor, the system first gathered browser fingerprinting data and then decided whether the visitor was a real target or basically just a security scanner probing around.
For victims that were flagged as legitimate targets, they were eventually served fake CAPTCHA verification screens, as part of what’s called a ClickFix attack. In the end, users were deceived into copying and then running malicious commands through the Windows Run dialog, and that led to the download and execution of malware on their machines.
The attack chain seems to have evolved, basically swapping out what it delivered: DLL files, JavaScript loaders, and even altered Electron-based applications that could keep running and also talk back to remote command and control servers.
Security experts say this campaign kind of shows a clear pattern, how a vulnerable content management system can quietly turn into a front door for broad malware distribution, unless it gets patched quickly. Since the intrusions relied on real compromised websites, many victims were naturally more willing to trust what they were shown, even if the content was shady.
Users associated with Ghost CMS are strongly encouraged to update to the newest fixed release, rotate credentials, check admin access logs for odd moments, remove any inserted scripts, and then scan their websites for signs of compromise.
Cybersecurity groups like IntelligenceX keep stressing that patch management, website security monitoring, and fast vulnerability response matter more each year, because attackers increasingly turn CMS platforms into tools for large-scale cyber campaigns.
Top comments (0)