Ghost CMS Flaw Abused to Poison 700 Websites With ClickFix Malware

A large-scale campaign has compromised over 700 Ghost CMS sites (including high-profile university portals) by exploiting a SQL injection flaw to steal Admin API keys and silently append malicious JavaScript to articles. The injected script redirects visitors to a convincing fake Cloudflare verification page that instructs them to run a PowerShell command, resulting in the installation of a stealthy infostealer (UtilifySetup.exe) that persists and communicates with remote C2; attackers use cloaking and fingerprinting to evade analysis and multiple criminal groups are competing for control. Immediate actions recommended: upgrade Ghost to the patched version, rotate Admin/Content API keys and passwords, remove injected <script> tags from content, and audit access logs for suspicious admin API PUT requests.