A dangerous cybercrime feedback loop has emerged where stolen credentials from infostealer malware<\/a> enable attackers to hijack legitimate business websites and turn them into malware distribution platforms. <\/p>\n Recent research by the Hudson Rock Threat Intelligence Team reveals this self-sustaining cycle transforms victims into unwitting accomplices.<\/p>\n Cybercriminals use a sophisticated social engineering technique called \u201cClickFix\u201d that tricks users into executing malicious code through their own actions. <\/p>\n The attack begins when victims visit compromised websites showing fake security prompts mimicking Google reCAPTCHA or browser error messages. <\/p>\n When users click these fraudulent alerts, malicious JavaScript silently copies a PowerShell command <\/a>to their clipboard.<\/p>\n The fake prompt then instructs users to press Windows+R and paste the \u201cverification code\u201d using Ctrl+V. <\/p>\n This executes the hidden command, downloading infostealer malware such as Lumma, Vidar, or Stealc, directly onto their system while bypassing traditional security controls.<\/p>\n Research analyzing data from the ClickFix Hunter platform, which tracks over 1,600 active malicious domains, uncovered a startling pattern. <\/p>\n Cross-referencing these domains with Hudson Rock\u2019s database of compromised credentials revealed 220 domains, approximately 13% that are simultaneously hosting ClickFix campaigns and have administrative credentials exposed in infostealer logs.<\/p>\n This correlation proves a causal relationship, legitimate businesses whose administrators were infected by infostealers have had their websites hijacked to distribute the same malware that compromised them. <\/p>\n The stolen credentials include access to WordPress admin panels, cPanel hosting controls, and content management systems.<\/p>\n Analysis of jrqsistemas.com demonstrates this pattern. The domain currently hosts an active ClickFix campaign. <\/p>\n However, Hudson Rock intelligence indicates that the WordPress<\/a> login credentials for this site\u2019s administrator were previously stolen by infostealer malware. <\/p>\n Attackers used these valid credentials to access the website and upload malicious scripts, transforming a legitimate business site into an attack platform.<\/p>\n Similar evidence exists for numerous other domains, including wo.cementah.com, where administrative credentials harvested by infostealers enabled unauthorized access for malware hosting.<\/p>\n This feedback loop creates exponential growth in attack infrastructure. As more computers get infected, more credentials are stolen. <\/p>\n More stolen credentials lead to more compromised websites, which expand the surface area for ClickFix campaigns<\/a>, resulting in additional infections. The cycle becomes self-sustaining.<\/p>\n The decentralized nature of this infrastructure makes disruption extremely difficult. Rather than operating from dedicated malicious servers, attackers hide within thousands of legitimate hosting providers using compromised business websites. <\/p>\n Even if authorities dismantle major botnets, the distributed infrastructure remains largely intact.<\/p>\n The ClickFix Hunter platform, developed by ReliaQuest researcher Carson Williams and integrated with Hudson Rock intelligence, provides critical visibility into this threat. <\/p>\n According to Infostealers<\/a>, the tool distinguishes between purely malicious domains and compromised legitimate sites, enabling more effective remediation strategies.<\/p>\n The cybersecurity community must recognize that modern malware distribution increasingly relies on exploiting human behavior rather than technical vulnerabilities. <\/p>\n As browsers and operating systems become more secure, attackers pivot to social engineering tactics that trick users into turning off their own protections. <\/p>\n Understanding and disrupting the infrastructure supporting these campaigns, particularly the credential theft feedback loop, is essential for breaking this dangerous cycle.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Infostealers Enable Attackers to Hijack Legitimate Business Infrastructure for Malware Hosting<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe ClickFix Attack Method<\/strong><\/h2>\n
![\"ClickFix](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/01\/image-8-1024x398.png?resize=1024%2C398&ssl=1\")
![\"A](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/01\/image-9-1024x553.png?resize=1024%2C553&ssl=1\")
![\"Definitive](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/01\/image-10.png?resize=933%2C591&ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/01\/image-11-1024x286.png?resize=1024%2C286&ssl=1\")