Home > Security > Security News

Fake Cloudflare Verification Attack Targets WordPress Sites with Advanced Multi-Stage Malware

Published on May 22, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Cloudflare DDoS

A new wave of sophisticated malware is exploiting WordPress sites by impersonating legitimate Cloudflare human verification prompts. Attackers manipulate users into executing malicious Windows commands.

The campaign’s realism is particularly hazardous for less technical users, who may be convinced by the authentic-looking Cloudflare styling and clear prompts, with an infection technique specifically designed to evade detection and maximize impact.

Once executed, the malware can steal credentials, install information stealers, or establish persistent backdoors for attackers.

Classic fake Cloudflare page
Classic fake Cloudflare page | Source: Sucuri

The malware distributes itself across all installed WordPress themes by injecting code into the header.php file, security researchers from Sucuri have uncovered. This script then loads a verification.html page crafted to seamlessly mimic Cloudflare’s recognizable verification UI. 

When a visitor lands on an infected WordPress site, they are first prompted to check a box, then instructed to press Win + R, and finally, to paste a PowerShell command into their Windows Run dialog.

Malicious script
Malicious script | Source: Sucuri
Malicious script
Malicious script | Source: Sucuri

If followed, this routine downloads a Windows executable that compromises the user’s system. The critical danger lies in the multi-stage delivery method that begins with the initial malicious code calling out to an external server and downloading obfuscated PowerShell payloads.

These scripts decode further instructions to fetch and execute a ZIP archive containing a secondary payload (test.exe). 

The malware attempts to evade detection by creating Windows Defender exclusions and running processes with administrator privileges. Each layer is heavily obfuscated, helping bypass basic antivirus solutions and complicating forensic analysis.

Add a Comment
Related
Washington Post Investigates Cyberattack Targeting the Organization’s Journalists 
GrayAlpha Deploys NetSupport RAT to Organizations via Fake Browser Updates, 7-Zip Downloaders
CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEye
Michigan Man to Pay $63,000 and Spend Five Years in Prison for Possession of Child Pornography
SPCA Impersonation Phone Calls to Defraud Pet Owners in Social Engineering Scam
Hijacked Discord Links Deliver Multi-Stage AsyncRAT and Skuld Stealer Campaign
Most Popular
ISP Piracy Liability and Record Labels Face a Landmark Legal Dispute as US Government Sides with Cox
movies 2025
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
TV shows February 2025
2025 TV Premiere Dates: New & Returning TV Series Calendar
Washington Post Investigates Cyberattack Targeting the Organization’s Journalists 
GrayAlpha Deploys NetSupport RAT to Organizations via Fake Browser Updates, 7-Zip Downloaders
CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEye
ISP Piracy Liability and Record Labels Face a Landmark Legal Dispute as US Government Sides with Cox
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
2025 TV Premiere Dates: New & Returning TV Series Calendar
Washington Post Investigates Cyberattack Targeting the Organization’s Journalists 
GrayAlpha Deploys NetSupport RAT to Organizations via Fake Browser Updates, 7-Zip Downloaders
CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEye

Most Popular
ISP Piracy Liability and Record Labels Face a Landmark Legal Dispute as US Government Sides with Cox
movies 2025
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
TV shows February 2025
2025 TV Premiere Dates: New & Returning TV Series Calendar
Washington Post Investigates Cyberattack Targeting the Organization’s Journalists 
GrayAlpha Deploys NetSupport RAT to Organizations via Fake Browser Updates, 7-Zip Downloaders
CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEye
ISP Piracy Liability and Record Labels Face a Landmark Legal Dispute as US Government Sides with Cox
2025 Movie Release Dates: Calendar for Theatrical and Streaming Dates
2025 TV Premiere Dates: New & Returning TV Series Calendar
Washington Post Investigates Cyberattack Targeting the Organization’s Journalists 
GrayAlpha Deploys NetSupport RAT to Organizations via Fake Browser Updates, 7-Zip Downloaders
CyberVolk Declares Cyberwar Against Europe, Japan and the U.S. Under Operation BlackEye

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: