A large-scale exploitation campaign targeting Ghost CMS has compromised more than 700 websites and repurposed them as delivery infrastructure for ClickFix social engineering attacks. The operation, first detected on May 7, 2026 by QiAnXin XLab and reported publicly on May 21, exploits CVE-2026-26980 (CVSS 9.4), a SQL injection vulnerability in Ghost's Content API that allows unauthenticated extraction of the Admin API key. Two separate threat clusters are actively conducting parallel poisoning operations. The vulnerability was discovered using Anthropic's Claude AI and was patched in Ghost 6.19.1 in February 2026, but a significant portion of deployed instances remain unpatched.
CVE-2026-26980: Unauthenticated Admin Key Extraction
Ghost CMS operates two classes of API keys with fundamentally different permission scopes. The Content API Key is read-only, intended for frontend consumption of published content. The Admin API Key carries full management permissions: it can create, modify, and delete articles, manage users, and modify themes via the PUT /ghost/api/admin/posts/:id/ endpoint. CVE-2026-26980 is a SQL injection flaw in the Content API that allows an unauthenticated attacker to read arbitrary data from the Ghost database, including the Admin API Key. The attack requires no credentials, no prior access, and is fully automatable: the observed campaign runs bulk vulnerability scanning, automatic key extraction, and bulk article injection as a continuous pipeline. The vulnerability was publicly disclosed February 19, 2026. The compilation timestamp on the first observed payload (February 16, 2026) suggests at least one threat actor was aware of the flaw and prepared tooling before public disclosure.
ClickFix: Why It Works and Why This Campaign Scales It
ClickFix is a social engineering technique that manipulates users into self-executing malware by disguising delivery as a routine verification step. The canonical variant presents a fake Cloudflare "Verify you are human" CAPTCHA page. When the user clicks "Verify," the page silently places a Base64-encoded command onto the clipboard via JavaScript. Instructions on screen then direct the user to open the Windows Run dialog (WIN+R), paste with Ctrl+V, and press Enter. The command executes in the user's own security context, bypassing endpoint controls that would block an unsolicited download or execution. The pasted command in this campaign includes a trailing comment disguised as a reCAPTCHA verification ID ("I am not a robot reCAPTCHA Verification ID: 2771") to suppress any instinct that the instruction looks suspicious.
The reason this campaign achieves exceptional scale is the legitimacy of the delivery surface. Ghost CMS powers the blogs and content platforms of universities, security research firms, fintech startups, and media organizations. A victim visiting the Harvard International Review or a recognized blockchain project's engineering blog carries a fundamentally different trust posture than a victim receiving an unsolicited email. XLab explicitly notes that the use of legitimate, trusted sites "will greatly increase the success rate of ClickFix-type attacks." The campaign is not exploiting user negligence toward unknown sources. It is exploiting earned institutional trust.
Five-Stage Attack Chain
Stage 1: CMS Takeover. The attacker performs automated scanning for Ghost instances vulnerable to CVE-2026-26980, extracts the Admin API Key via SQL injection through the Content API, and authenticates to the Ghost Admin API without any credentials.
Stage 2: Page Poisoning. Using the Admin API, the attacker bulk-modifies published articles, appending a thin JavaScript loader to each article body. The loader Base64-decodes a C2 URL at runtime and dynamically injects a <script> tag. A newer version of the loader adds a localStorage deduplication check so the payload fires only once per browser, reducing noise. Critically, the loader encodes btoa(document.origin) as the injected script tag's ID, allowing the C2 to fingerprint which compromised site is generating traffic without requiring separate loader variants per site.
Stage 3: Cloaking and Traffic Distribution. The injected loader fetches a PHP script hosted at clo4shara[.]xyz/11z77u3.php (later rotated to com-apps[.]cc). This script is a commercial cloaking service from Adspect, which collects browser fingerprint data across multiple dimensions: WebGL GPU model, Navigator properties, timezone, touch event support, and console tampering detection. Based on the server's assessment, real victims receive the attack payload while security crawlers and sandboxes are served a benign page. The script supports 19 remote control commands including arbitrary JavaScript execution, iframe injection, and HTTP redirect, giving the attacker full real-time control over the victim's browser session.
Stage 4: ClickFix Delivery. Victims assessed as real targets are served an iframe loading cloud-verification[.]com, a high-fidelity fake Cloudflare verification page. The page uses a setTimeout of at least 500 milliseconds to silently download update.zip to the user's Downloads folder before the verification prompt is displayed. The Ctrl+V clipboard content executes: it moves the archive to %TEMP%, extracts it via the native Windows tar utility, and silently runs update.bat with a minimized window.
Stage 5: Payload Delivery and Persistence. The batch script downloads a Rust-compiled DLL (installer.dll) from Storj's public CDN and launches it via rundll32.exe, calling the exported function Begin with a hidden window. The final-stage payload is UtilifySetup.exe, an Inno Setup installer for an Electron application. The application is a trojanized fork of the open-source Grape desktop client, with the legitimate entry point replaced by a malicious index.js. It uses Electron's setLoginItemSettings API for persistence and polls the C2 server at web-telegram[.]ug every 30 seconds, accepting instructions to execute arbitrary JavaScript or run executable files. The payload carried zero detections on VirusTotal at the time of discovery.
Two Competing Threat Clusters
XLab identified two separate threat actors conducting parallel poisoning operations against the same vulnerable Ghost CMS instances. The competition between them is observable: sites that cleaned up Cluster A's injected code were subsequently re-infected by Cluster B, and in some cases Cluster A re-infected sites that Cluster B had taken over. The Harvard International Review was alternately poisoned by both clusters within a 24-hour window. XLab describes the dynamic as the two groups "wantonly toying" with the site.
Cluster A uses the Adspect-based cloaking infrastructure described above. Its C2 domains include clo4shara[.]xyz, cloud-verification[.]com, com-apps[.]cc, and web-telegram[.]ug. Injected code is identified by the string ghost_once_footer_ in article bodies.
Cluster B uses a simpler reverse-obfuscation approach and routes traffic through domains following the URI pattern /api/css.js. Its infrastructure resolves to 144.31.236.66 across domains including staticcloudflare[.]pro, script-dev[.]digital, and updatesecurity[.]pro. VT pivoting on the /api/css.js URI pattern returns nearly 500 suspicious domains. XLab notes linkage to the Aeternum threat cluster based on infrastructure overlaps. Injected code is identified by the string sj.ssc/ipa/. Cluster B's ClickFix payload uses XOR encryption with the key h2QHiVI to obfuscate the dropper command.
Victim Profile
XLab's AI-assisted analysis of 765 confirmed victim domains shows that personal blogs and independent sites account for the largest share (48.1%), followed by software development and SaaS blogs (14.8%), AI and machine learning (4.6%), Web3 and cryptocurrency projects (2.9%), and education and academia (2.7%). Named high-profile victims include the Harvard International Review, Oxford University-affiliated properties, and Auburn University. Security research blogs account for 1.4% of confirmed victims, meaning researchers visiting peer publications on Ghost CMS are themselves within the delivery surface. Cloudflare blocked the initial cloaking domain clo4shara[.]xyz after users reported anomalous behavior on poisoned sites, cutting the attack chain temporarily. The attacker rotated to com-apps[.]cc on May 16 with a new payload carrying zero VT detections.
Indicators of Compromise
Cluster A domains: clo4shara[.]xyz, cloud-verification[.]com, jalwat[.]com, com-apps[.]cc, web-telegram[.]ug, taketwolabs[.]com, platecrumbs[.]com
Cluster B domains: staticcloudflare[.]pro, script-dev[.]digital, script-dev[.]buzz, updatesecurity[.]pro, updatefilescf[.]top, static-file[.]digital, download-file[.]today, cdnupdatenews[.]top
Sample hashes (MD5):
5659292833ec421da11ebde005d9c9a8- installer.dll (Stage 1, compiled 2026-02-16)d30cc10d54ebc967c8538ff74f442eee- NotepadPlusPlus.dll (Stage 2, compiled 2026-05-16)18a7251ddde77ed24bc54700d84d9be1- UtilifySetup.exe (Inno Setup Electron backdoor)ec5dfee13abf94e08d0f94e90b527db0- notepadPlusPlus.jsfceca579efcef09eb507c6ca977ea281- css.js (Cluster B)
Article injection fingerprints: ghost_once_footer_ (Cluster A), sj.ssc/ipa/ (Cluster B)
Remediation
Ghost CMS administrators should upgrade to version 6.19.1 or later immediately. Post-upgrade, rotate all Admin API Keys, Content API Keys, administrator passwords, and session tokens. Clean injected script tags directly at the database level using the fingerprint strings above, not only through the backend editor. Audit Admin API logs for bulk PUT /ghost/api/admin/posts/:id/ requests from unfamiliar IPs, abnormal user agents, or short-interval bulk modifications. Any user who visited a Ghost site during the contamination window and encountered a Cloudflare verification prompt should be advised to run an endpoint security scan. Ghost management interfaces should not be directly internet-exposed regardless of patch status.
This article is published for threat intelligence purposes. IntelFusions is not affiliated with any threat actor group. Claims described herein have not been independently verified unless explicitly stated. Primary source: QiAnXin XLab, May 21, 2026.