Cybercriminals are combining compromised websites with increasingly sophisticated ClickFix social engineering lures to deliver new infostealer malware, with one campaign alone weaponizing more than 250 WordPress sites across 12 countries. The campaign leads to stealthy in-memory payloads, while a separate attack detected by Microsoft targets Windows Terminal for payload execution instead of the traditional Run dialog. The WordPress campaign has been active since December 2025 and targets visitors with fake Cloudflare CAPTCHA challenges, researchers from security firm Rapid7 revealed in a report this week. The compromised WordPress websites span regional news outlets, local business websites,...