Skip to main content
Emerging ThreatsMalware & Ransomware

Ghost CMS Flaw Exploited to Hijack Over 700 Sites in ClickFix Attacks

Laptop screen displays a blurred CMS interface with a cityscape background.

More than 700 websites were compromised in a fast-moving campaign that weaponized a critical Ghost CMS vulnerability, QiAnXin XLab reported — a large-scale poisoning that turned legitimate content pages into entry points for a social-engineered Windows malware drop.

CVE-2026-26980 and the exposed Admin API key

QiAnXin XLab traced the campaign to exploitation of CVE-2026-26980, an SQL injection vulnerability in Ghost's Content API with a CVSS score of 9.4. The flaw, discovered by Anthropic using Claude, was addressed in February 2026 in Ghost version 6.19.1. According to XLab, the vulnerability can be used by an unauthenticated attacker to read arbitrary data from the database and, critically, to "obtain the target site's Admin API Key without authorization." Possession of that key allows invocation of the Ghost Admin API and direct modification of published articles, which the attackers used to inject malicious JavaScript loaders into pages.

Two-stage loader, Adspect cloaking, and the ClickFix hook

Injected JavaScript appended to article pages operated as a two-stage loader that fetched a runtime payload from an external URL: clo4shara[.]xyz/11z77u3.php. XLab described that PHP resource as "a typical traffic distribution script" powered by Adspect, a commercial cloaking service. The script collects browser fingerprinting data, uploads it to the server, and then issues instructions — redirections, popups, or downloads — based on the returned decisions. XLab noted the script supports 19 different commands to run arbitrary JavaScript and remotely control the victim's browser.

Visitors identified as intended victims were served a fake CAPTCHA verification page inside an iframe. That prompt initiated a ClickFix-style social-engineering flow: users were instructed to copy and paste a Base64-encoded command into the Windows Run dialog, a step that handed the attackers the ability to execute further stages on a targeted Windows host.

From Base64 command to persistent backdoor

The Base64 command served as a dropper that downloaded a ZIP archive, extracted a Windows batch script, and ran it. The batch then executed a PowerShell command to download a DLL from a remote domain, invoke it with rundll32.exe, and display a bogus webpage to distract the user. XLab observed subsequent variants that replaced the DLL with a JavaScript payload, but in all cases the immediate objective was the same: install a Windows executable.

When the DLL route was used, the dropped executable was a PuTTY client carrying a valid code-signing certificate. When the attackers deployed the JavaScript route, the resulting binary was an Inno Setup installer wrapping an Electron application — a modified build of the open-source Grape desktop client. That application was altered to achieve persistence and to poll a remote server at web-telegram[.]ug every 30 seconds for instructions, including commands to run JavaScript or arbitrary executables.

Scope, sectors affected, and campaign tempo

Detected on May 7, 2026, XLab attributed the campaign to at least two different threat clusters and described it as "large-scale poisoning." The operation compromised more than 700 websites across universities, blockchain, artificial intelligence, SaaS, security research, media, and financial technology sectors. XLab highlighted that using legitimate, trusted websites as distribution points could increase the success rate of the ClickFix social-engineering component.

What this means for Ghost CMS users, security teams, and site visitors

  • Ghost CMS users: XLab's guidance is operational — upgrade instances to the patched version (the flaw was fixed in February 2026 in Ghost 6.19.1), rotate all credentials, clean up injected content, and audit access logs for signs of abuse.
  • Security teams at affected organizations: perform forensic review of site modifications, notify users who may have visited compromised pages during the contamination period, and look for downstream indicators such as unusual rundll32.exe invocations, new Electron-based installers, or unexpected PuTTY binaries with legitimate-looking signatures.
  • Site visitors and end users: be wary of copy-paste instructions into system dialogs and of CAPTCHA-like prompts presented inside iframes; those are the exact user actions the attackers relied upon to trigger payload execution.

QiAnXin XLab's analysis underscores two operational risks: first, a Content API SQL injection that exposes high-value keys (Admin API keys) can convert content-management workflows into an infection vector; second, the attackers' use of Adspect cloaking and a modular loader makes detection and attribution harder by showing benign content to scanners while delivering malicious payloads only to chosen victims. Ghost CMS administrators and the organizations whose sites were listed among the 700+ compromises face an immediate remediation task: patch, rotate, clean, and notify.

Original reporting