Hackers Exploit Ghost CMS CVE-2026 CVE-2026-26980 Poison
A critical SQL injection vulnerability within Ghost CMS is actively being exploited by at least two distinct threat actor groups. These groups are leveraging the flaw to silently infect over 700...
A critical SQL injection vulnerability within Ghost CMS is actively being exploited by at least two distinct threat actor groups. These groups are leveraging the flaw to silently infect over 700 websites with ClickFix malware, consequently exposing visitors to significant risk. Details of this exploitation were outlined in a recent report.
The vulnerability, tracked as CVE-2026-26980, was publicly disclosed as early as February 19, 2026. Despite this, many Ghost CMS administrators failed to apply the available patch in time.
Attackers wasted little time, scanning for unpatched installations, stealing Admin API keys, and mass-modifying article content to serve malicious JavaScript loaders to anyone who visited those sites.
Researchers at Qianxin XLab first detected the poisoning activity on May 7, 2026, while investigating a compromise at one of their critical customers.
Qianxin said in a report shared with Cyber Security News that what initially appeared to be a targeted intrusion turned out to be a broad, automated campaign hitting Ghost CMS installations worldwide.
The attack chain was described as systematic, covering CMS takeover, page poisoning, two-stage payload loading, social engineering, and final malware delivery.
The scope of damage expanded rapidly. By May 10, researchers had confirmed 156 poisoned domains.
One week later, that number had ballooned to over 700, including websites operated by Harvard University, Oxford University, and Auburn University. The affected sites span dozens of industries including blockchain, AI, media, fintech, and security research.
What makes this campaign particularly dangerous is the level of trust users place in well-known websites. Visitors to compromised Ghost sites had no visible warning signs.
The poisoned articles looked completely normal, with the malicious code silently embedded at the bottom of each page, waiting to activate when a reader scrolled through.
Hackers Exploit Ghost CMS CVE-2026-26980
The vulnerability at the center of this campaign is a high-risk SQL injection flaw in Ghost CMS that allows unauthenticated attackers to read directly from the database, including the Admin API Key.
With that key in hand, attackers could call the Ghost Admin API to silently rewrite articles at scale, with no need to touch the admin panel or the server directly.
| CVE ID | Type | Severity | Affected Component | Impact |
|---|---|---|---|---|
| CVE-2026-26980 | SQL Injection | High | Ghost CMS | Unauthenticated Admin API Key extraction, mass article modification |
Once the malicious JavaScript loader was planted, the attack unfolded in four stages. Stage one dropped the loader at the bottom of articles. Stage two redirected real visitors through a cloaking script that filtered out security researchers and bots.
Stage three presented a convincing fake Cloudflare verification page, tricking users into pressing WIN+R, pasting a command, and hitting Enter. Stage four silently delivered and executed a data-stealing payload on the victim’s machine.
ClickFix Social Engineering and Payload Delivery
The fake verification page is what makes this campaign so effective against ordinary users. It mimics the widely recognized Cloudflare CAPTCHA interface down to the visual styling and wording.
When users click to verify, they unknowingly copy a malicious command to their clipboard and execute it themselves, all while believing they are simply proving they are human.
The payloads evolved as the campaign progressed. Early versions downloaded a DLL named installer.dll via a public CDN and launched it quietly using rundll32.
By May 16, attackers had upgraded to a zero-detection data-stealing Trojan called UtilifySetup.exe, which used an Electron-based framework to establish persistence and contact a command-and-control server every 30 seconds.
A second threat actor group was also found running a parallel campaign through a loader delivered via NotepadPlusPlus.zip.
Qianxin XLab strongly recommends that all Ghost CMS administrators upgrade immediately to the patched version that resolves CVE-2026-26980.
Beyond upgrading, site owners should rotate all credentials including Admin API keys and administrator passwords, audit access logs for unusual bulk PUT requests, and scan article content for fingerprints such as ghost_once_footer_ or atob( combined with appendChild.
Visitors who may have accessed any affected Ghost site during the contamination window should run a full local security check on their devices.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | clo4shara[.]xyz | Threat Actor A – Stage 2 cloaking domain (first wave) |
| Domain | cloud-verification[.]com | Threat Actor A – Fake Cloudflare verification page host |
| Domain | jalwat[.]com | Threat Actor A – Payload distribution server |
| Domain | com-apps[.]cc | Threat Actor A – Updated cloaking domain and payload host |
| Domain | web-telegram[.]ug | Threat Actor A – C2 server for UtilifySetup.exe (beacons every 30s) |
| Domain | staticcloudflare[.]pro | Threat Actor B – Malicious CSS loader host |
| Domain | script-dev[.]digital | Threat Actor B – Malicious CSS loader host |
| Domain | script-dev[.]buzz | Threat Actor B – Associated domain |
| Domain | updatesecurity[.]pro | Threat Actor B – Associated domain |
| Domain | updatefilescf[.]top | Threat Actor B – Associated domain |
| Domain | static-file[.]digital | Threat Actor B – Associated domain |
| Domain | download-file[.]today | Threat Actor B – Associated domain |
| Domain | updatefile-cf[.]digital | Threat Actor B – Associated domain |
| Domain | script-dev[.]xyz | Threat Actor B – Associated domain |
| Domain | cdnupdatenews[.]top | Threat Actor B – Final payload download host |
| URL | https://clo4shara[.]xyz/11z77u3.php | Threat Actor A – Stage 2 cloaking PHP script |
| URL | https://com-apps[.]cc/11z77u3.php | Threat Actor A – Updated Stage 2 cloaking PHP script |
| URL | https://platecrumbs[.]com/11z77u3.php | Threat Actor A – Alternate cloaking PHP script |
| URL | https://cloud-verification[.]com/update.zip | Threat Actor A – Malicious ZIP payload |
| URL | https://com-apps[.]cc/update.zip | Threat Actor A – Malicious ZIP payload (updated) |
| URL | https://com-apps[.]cc/NotepadPlusPlus.zip | Threat Actor A – NotepadPlusPlus lure ZIP payload |
| URL | https://jalwat[.]com/static/uploads/campaigns/6/update.zip | Threat Actor A – Early payload ZIP (May 7) |
| URL | https://taketwolabs[.]com/wp-content/NotepadPlusPlus.dll | Threat Actor A – NotepadPlusPlus DLL download URL |
| URL | https://staticcloudflare[.]pro/api/css.js | Threat Actor B – Malicious JavaScript loader |
| URL | https://script-dev[.]digital/api/css.js | Threat Actor B – Malicious JavaScript loader |
| URL | https://cdnupdatenews[.]top/dl?fid=38 | Threat Actor B – Final payload download URL |
| MD5 Hash | 5659292833ec421da11ebde005d9c9a8 | installer.dll – Stage 1 Rust DLL loader (May 7-9) |
| MD5 Hash | d30cc10d54ebc967c8538ff74f442eee | NotepadPlusPlus.dll – Stage 2 Rust DLL loader (May 16+) |
| MD5 Hash | 18a7251ddde77ed24bc54700d84d9be1 | UtilifySetup.exe – Inno Setup Electron-based data-stealing Trojan |
| MD5 Hash | f280e12f51f996dae7fffc64a56ee527 | SuperAppizeSetup.msi – Associated installer |
| MD5 Hash | fceca579efcef09eb507c6ca977ea281 | css.js – Threat Actor B malicious JavaScript loader |
| File Name | installer.dll | Rust-based DLL loader dropped to %TEMP% |
| File Name | update.bat | Batch script for payload execution |
| File Name | NotepadPlusPlus.dll | Renamed installer DLL (Stage 2) |
| File Name | UtilifySetup.exe | Final Electron-based data-stealing Trojan payload |
| File Name | notepadplusplus.js | JavaScript variant of loader (May 18 wave) |
| IP Address | 144.31.236.66 | Threat Actor B – Resolved by staticcloudflare[.]pro and script-dev[.]digital |
| Injected Code Pattern | ghost_once_footer_ | Threat Actor A – Fingerprint in poisoned article content |
| Injected Code Pattern | sj.ssc/ipa/ | Threat Actor B – Fingerprint in poisoned article content |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.