RST TI Report Digest: 16 Mar 2026

Rapid7 Labs identified an active global campaign starting in December 2025 that compromises legitimate WordPress sites to serve a ClickFix implant (masquerading as a Cloudflare CAPTCHA) which uses obfuscated JavaScript and PowerShell to fetch shellcode and deploy multiple infostealers (Vidar, VodkaStealer, Impure and others) via Donut-based loaders; the operation has affected over 250 sites across 12 countries and the report includes extensive IOCs (IPs, domains, URLs, and hashes) for detection and mitigation.