DarkEngine: CyberCX Uncovers Highly Orchestrated WordPress Phishing Campaign →

DarkEngine: CyberCX Uncovers Highly Orchestrated WordPress Phishing Campaign

Melbourne, Australia – 03 June 2025

Australians are being warned about fake CAPTCHA threats as CyberCX uncovers significant WordPress phishing campaign


 

CyberCX, Australia and New Zealand’s leading cyber security provider, is warning Australians to be vigilant for fake CAPTCHA prompts after the company uncovered a highly orchestrated phishing campaign compromising WordPress managed websites.

Dubbed DarkEngine, the campaign results in website users being shown fake CAPTCHA prompts, putting them at risk of downloading malware, such as information stealers and remote access malware. 

DarkEngine involves a multi-stage approach, indicating it is being operated by a well-resourced cyber criminal. The threat actor first creates fake replicas of WP Engine, a tool widely used by businesses to manage WordPress websites.

The threat actor then uses a technique called search engine optimisation (SEO) poisoning to elevate fake WP Engine links above legitimate websites in Google searches. These steps enable the threat actor to harvest real WP Engine login credentials from website administrators, which they then use to take control of WordPress websites to infect them with fake CAPTCHA prompts.

Their ultimate objective is to target the thousands of visitors to the thousands of websites they have compromised and manipulated.

So far, CyberCX has identified at least 2,353 unique websites likely compromised by this threat actor, including 82 belonging to Australian and New Zealand organisations. The compromised Australian websites are mostly small to medium businesses, ranging from strip clubs to education platforms for children.

Katherine Mansted, Executive Director of CyberCX Intelligence said: “This threat actor is a savvy, highly capable and well-resourced financially-motivated criminal. They are operating a scaled operation here, gaining access to thousands of real websites and infecting them with malware that hits unsuspecting internet users.

“Fake CAPTCHA is an increasingly common technique criminals use to infect Australians’ computers with malware. They look similar to real CAPTCHAs – a way to test whether a website visitor is a real person or a bot  – but prompt the unsuspecting user to run malicious commands, potentially allowing criminals to gain remote access to their computers.

“Never follow a CAPTCHA command that requires you to copy and paste text and be vigilant for any unexpected downloads after completing a CAPTCHA. Along with unusual URLs, pop-ups and poorly designed CAPTCHA formats, these are the tell-tail signs of a fake CAPTCHA.”

The fake CAPTCHA prompts delivered by DarkEngine are a variation of ClickFix, a social engineering technique designed to manipulate users into running malicious commands, and are associated with techniques used by known financially-motivated cyber crime clusters.

CyberCX Intelligence has been proactively notifying organisations whose websites have been affected as part of our efforts to secure our communities.

CyberCX advises organisations to take the following steps:

 


 

You can download the full DarkEngine Report below

 

Download

 


 

About CyberCX

CyberCX is the leading provider of end-to-end cyber security and cloud services. With a workforce of 1,400 cyber security professionals, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.

 


 

Contact

[email protected] 

Other News

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.