ClickFix Clipboard Hijacker Hits DoD Cybersecurity Vendor's Own Homepage
A ClickFix clipboard hijacker is running on a US DoD cybersecurity vendor's own WordPress homepage. The attacker injects a script that overwrites the clipboard and shows a fake verification overlay. Two WordPress sites were hit within 24 hours using the same attack infrastructure.
A Cybersecurity Vendor Got Hacked on Its Own Homepage
A ClickFix clipboard hijacker is actively running on the homepage of a US Department of Defense cybersecurity vendor. The company sells network exposure management and attack-path analysis to Fortune 500 enterprises and all five branches of the US military. The irony is hard to miss.
Researchers at Sansec found a malicious script tag injected into the site's HTML head, sitting between the cookie consent script and Google Tag Manager. The loader pulls from windlrr.com, a domain registered on April 8, just three days ago.
How the Attack Works
ClickFix attacks show visitors a full-screen verification overlay asking them to paste a "code" into Win+R or a terminal. The catch: the attacker's command is already on the clipboard before the prompt appears. In past campaigns, that command was a PowerShell one-liner that downloads an info-stealer or RAT.
The loader uses two clipboard write methods back to back. A legacy execCommand('copy') for sandboxed iframes and old browsers, followed by navigator.clipboard.writeText() for modern ones. The victim clicking the fake verify button supplies the user gesture needed for clipboard permission.
At the time of Sansec's report, the C2 server was returning benign redirects to Google, but the attacker can flip the switch at any moment.
Anti-Research Stack Blocks Scanners
The loader includes a proof-of-work challenge, browser fingerprinting, and detection of automation tools like Selenium, PhantomJS, and Chrome DevTools. Unknown fingerprints get the benign redirect, so automated scanners and VirusTotal submissions never see the actual attack payload.
Two WordPress Sites, Same Injection Slot
A global restaurant chain was hit first, with the same C2 domain rotating from stromao.com to windlrr.com within 24 hours. Both domains were registered three minutes apart. Both victim sites run WordPress. The identical injection point suggests automated exploitation of a WordPress plugin vulnerability rather than credential reuse.
WAFplanet Take
This is exactly the kind of attack that a properly configured WordPress WAF should catch at the edge. Wordfence, NinjaFirewall, Sucuri, and Patchstack all offer rules that can block malicious script injection into WordPress headers. Cloudflare can filter the C2 domain at the DNS level.
The fact that a DoD cybersecurity vendor's own WordPress site was running without adequate WAF protection is a brutal reminder. Corporate marketing sites are a blind spot, even at companies that sell the tools to fix exactly this problem. If you run WordPress, deploy a WAF. If your WAF vendor's own site gets popped, maybe reconsider your vendor.
Sansec Shield (the researcher's own product) is designed to stop exactly this type of malicious third-party script injection in real time.