Israel’s National Digital Agency on Monday revealed a large-scale international cyber campaign known as ShadowCaptcha, which exploits familiar security tools to spread malware. The attack, which has affected hundreds of websites worldwide and in Israel, focuses on WordPress-based sites, turning them into infection hubs that spread malicious software capable of stealing data, converting victims’ computers into bitcoin miners, or deploying ransomware to extort money.
The unique element of ShadowCaptcha is its cynical use of user trust. Malicious code injected into compromised sites redirects users to fake CAPTCHA pages, resembling the “I’m not a robot” verification. Instead of a simple authentication process, users are instructed to perform seemingly harmless tasks, such as pasting text into a field or running a command. In reality, these actions execute malware that installs dangerous software on their computers.
“Everyone knows the CAPTCHA mechanism, but here the fake version asks users to perform actions outside the browser, such as opening a search bar on the computer and copying a command displayed in the browser window. That command actually installs the malware. A genuine CAPTCHA never harms a computer, as long as the action takes place within the browser,” Nir Bar Yosef, head of the government’s cyber defense unit, explained to Ynet.
The international scale of the attack is reflected in reports from global sources. Cybersecurity companies and law enforcement agencies, including Europol and U.S. authorities, have recently reported operations against cybercrime networks exploiting similar entry points. In one such operation, dubbed Operation Endgame, servers and hundreds of websites used to distribute malware were shut down, demonstrating a recurring pattern of using legitimate sites as malware distribution points.
Wide range of destructive capabilities
The tactic of impersonating familiar security mechanisms reflects the technological arms race between attackers and defenders. It is part of a broader arsenal of tricks — including fake payment systems and forged invoices — designed to hide malicious activity.
According to the National Digital Agency, the malware spread by ShadowCaptcha can grant attackers sweeping destructive powers, from full remote control of computers to theft of sensitive data, cryptocurrency mining and encrypting files for ransom.
So far, no Israeli government systems have been affected, but officials believe the number of compromised websites is far higher than the few hundred identified. The agency is working with Israel’s National Cyber Directorate to alert affected websites and help them defend themselves. Researchers have also provided malware signatures to Google and Microsoft so they can update their browsers, antivirus software and operating systems.
At this stage, it is unclear who is behind the attack, but officials estimate it is a criminal group motivated by financial gain rather than a state actor targeting Israelis. The malware is spread through an infrastructure commonly linked to cybercrime groups, which is difficult to trace.
Authorities urged website owners to keep WordPress plugins and versions up to date and to monitor cybersecurity advisories. Users, meanwhile, were warned to complete CAPTCHA checks only inside their browser and to avoid any suspicious requests to run commands or perform external actions.