DarkEngine: CyberCX Uncovers Highly Orchestrated WordPress Phishing Campaign

Melbourne, Australia – 03 June 2025
Australians are being warned about fake CAPTCHA threats as CyberCX uncovers significant WordPress phishing campaign
- CyberCX has uncovered a highly orchestrated phishing campaign, DarkEngine, which is targeting WordPress sites.
- The threat actor embeds fake CAPTCHA prompts into real WordPress websites, putting website users at risk of malware.
- The DarkEngine campaign has compromised over 2,300 WordPress websites, including 80 in Australia, to date.
CyberCX, Australia and New Zealand’s leading cyber security provider, is warning Australians to be vigilant for fake CAPTCHA prompts after the company uncovered a highly orchestrated phishing campaign compromising WordPress managed websites.
Dubbed DarkEngine, the campaign results in website users being shown fake CAPTCHA prompts, putting them at risk of downloading malware, such as information stealers and remote access malware.
DarkEngine involves a multi-stage approach, indicating it is being operated by a well-resourced cyber criminal. The threat actor first creates fake replicas of WP Engine, a tool widely used by businesses to manage WordPress websites.
The threat actor then uses a technique called search engine optimisation (SEO) poisoning to elevate fake WP Engine links above legitimate websites in Google searches. These steps enable the threat actor to harvest real WP Engine login credentials from website administrators, which they then use to take control of WordPress websites to infect them with fake CAPTCHA prompts.
Their ultimate objective is to target the thousands of visitors to the thousands of websites they have compromised and manipulated.
So far, CyberCX has identified at least 2,353 unique websites likely compromised by this threat actor, including 82 belonging to Australian and New Zealand organisations. The compromised Australian websites are mostly small to medium businesses, ranging from strip clubs to education platforms for children.
Katherine Mansted, Executive Director of CyberCX Intelligence said: “This threat actor is a savvy, highly capable and well-resourced financially-motivated criminal. They are operating a scaled operation here, gaining access to thousands of real websites and infecting them with malware that hits unsuspecting internet users.
“Fake CAPTCHA is an increasingly common technique criminals use to infect Australians’ computers with malware. They look similar to real CAPTCHAs – a way to test whether a website visitor is a real person or a bot – but prompt the unsuspecting user to run malicious commands, potentially allowing criminals to gain remote access to their computers.
“Never follow a CAPTCHA command that requires you to copy and paste text and be vigilant for any unexpected downloads after completing a CAPTCHA. Along with unusual URLs, pop-ups and poorly designed CAPTCHA formats, these are the tell-tail signs of a fake CAPTCHA.”
The fake CAPTCHA prompts delivered by DarkEngine are a variation of ClickFix, a social engineering technique designed to manipulate users into running malicious commands, and are associated with techniques used by known financially-motivated cyber crime clusters.
CyberCX Intelligence has been proactively notifying organisations whose websites have been affected as part of our efforts to secure our communities.
CyberCX advises organisations to take the following steps:
- Search for activity related to the DarkEngine campaign.
- WP Engine administrators should audit account activity logs for unexpected logins, especially from unknown proxy services and VPNs.
- WordPress site administrators should check for unexpected plugins, injected content in theme files, and successful requests containing keywords like “emergency_login”, “check_plugin”, and “urlchange”.
- Educate staff about the existence of ClickFix techniques like fake CAPTCHA and the risks of search engine optimisation techniques leading them to engage with malicious sites.
- Consider offering staff a reputable password manager which may warn users that the site they are visiting is not legitimate.
You can download the full DarkEngine Report below
About CyberCX
CyberCX is the leading provider of end-to-end cyber security and cloud services. With a workforce of 1,400 cyber security professionals, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.