Harvard.edu among 141 hosts serving ClickFix lures

Harvard’s domain was one of 141 legitimate websites observed serving attacker-controlled content in a coordinated abuse campaign disclosed this month. The compromised set spans .edu, .gov, and Fortune 500 .com properties. The payload pattern is consistent across hosts: injected pages indexed by Google, redirected on referrer match, serving phishing kits, fake CAPTCHA loaders, and ClickFix-style PowerShell paste lures. The bug is not in Harvard. The bug is in the trust the open web extends to a high-reputation domain serving attacker content.

The initial access pattern across the 141 hosts is not a single CVE. It is a class. Most affected properties run public CMS stacks - WordPress, Drupal, Adobe Experience Manager, custom PHP front-ends - with at least one of: an unpatched plugin with known RCE, exposed admin endpoints behind weak or reused credentials, or an SSRF-to-RCE path in an editor component. The 2024 LiteSpeed Cache auth bypass (CVE-2024-28000, CVSS 9.8), the WPML SSTI RCE (CVE-2024-6386, CVSS 9.9), and the Bricks Builder eval injection (CVE-2024-25600, CVSS 9.8) are the high-frequency entry vectors observed in WordPress-heavy clusters. Drupal sites show residual exposure from CVE-2022-25277 file upload chains where MIME validation is bypassed by extension casing. None of these require novel research. All have public PoCs older than six months.

The primitive after access is the same on every host. Write to web root. The attacker drops a long-tail page - typically /wp-content/uploads/2024/xx/[keyword-string].html or /sites/default/files/[keyword].php - containing SEO-optimised content targeting a search query the attacker wants to rank for. Document templates, software cracks, university essay help, crypto recovery, sports streams. The page is static HTML or PHP with a referrer-conditional redirect. If the visitor arrives via Google with a matching search term in the Referer header, JavaScript redirects them through a traffic distribution system to the next stage. If the visitor arrives directly, the page renders benign content. This conditional rendering is the reason these pages survive in search indexes for weeks. Googlebot sees the keyword-rich page. The crawler is not redirected. The human is.

The TDS layer is what makes this a campaign rather than 141 incidents. The redirect targets resolve through Keitaro, BlackTDS, and several actor-operated variants. The TDS fingerprints the visitor on IP geolocation, ASN, user agent, and JavaScript execution capability, then routes to one of three terminal payloads observed in this cluster. A ClickFix lure that instructs the visitor to paste a base64 PowerShell command into Run - T1059.001, T1204.004. A fake browser update page delivering SocGholish loader JavaScript - T1189, T1204.002. A credential harvest page mirroring Microsoft 365 login - T1566.002, T1056.003. The terminal payload is selected per visitor. The compromised .edu hosts only the SEO bait. The actual malware never touches Harvard’s infrastructure. The reputation is the asset being stolen.

MITRE mapping for the initial access and persistence side runs T1190 - exploitation of public-facing application - into T1505.003, web shell deployment. The web shells observed are not large. China Chopper variants under 2KB, single-line PHP eval shells, and JSP variants on AEM hosts. T1078 credential access where the entry was reused admin password rather than CVE. T1112 modification of registry-equivalent CMS options to disable update notifications. T1562.001 where security plugins are disabled or have their definitions stubbed. On the visitor side, the chain is T1189 drive-by compromise, T1204 user execution, then loader-specific behaviour - T1055.001 DLL injection for SocGholish follow-ons, T1071.001 C2 over HTTPS to compromised WordPress sites used as redirectors, T1555.003 credential theft from browser stores.

For detection engineering, the gap is structural. The compromised hosts are trusted. Outbound proxy logs from a corporate user to harvard.edu do not alert. SSL inspection does not flag the certificate. URL category feeds rank the domain as Education. Reputation scoring from Cisco Talos, Cloudflare Radar, and most commercial feeds rates the parent domain as benign because the parent domain is benign. The malicious surface is a single injected path under a high-reputation host. Path-aware reputation is rare. Most enterprise web filters operate at the FQDN or registered domain level. The control gap is the unit of policy.

What fires depends on where you look. At the network edge, the redirect chain produces a distinctive sequence - GET request to a legitimate .edu host with a Google referer, immediate 302 or JavaScript redirect to an unfamiliar TDS domain, second redirect to the payload host. A Zeek script correlating Referer-bearing GETs to .edu domains with sub-second redirects to unrelated registered domains will surface this. Suricata signatures for known TDS query string patterns - Keitaro’s ?subid= and ?ulp= parameters, BlackTDS’s hash-prefixed paths - catch the second hop. The first hop, the request to the compromised host itself, is invisible at the network layer. It looks like a normal page load.

At the endpoint, the ClickFix branch is where EDR has clear ground. The lure instructs the user to press Win+R, paste a command, and execute. The command is mshta or powershell consuming a base64-encoded string with -EncodedCommand or IEX (New-Object Net.WebClient).DownloadString. Sysmon Event ID 1 captures the process creation with the parent as explorer.exe and the command line containing the encoded payload. ParentImage explorer.exe combined with CommandLine containing -enc or FromBase64String and a child of powershell.exe is a high-fidelity detection. Microsoft Defender for Endpoint surfaces this under InitialAccess and Execution categories with the alert title containing ClickFix or Suspicious PowerShell. CrowdStrike Falcon raises this as a Scripting/SuspiciousPowerShellEncoded detection. The signal exists. The control gap is whether the rule is tuned to alert on parent explorer.exe specifically - many environments suppress encoded PowerShell from administrative parents and inadvertently widen the exception.

The SocGholish branch is harder. The fake update delivers a JavaScript loader executed by wscript.exe or mshta.exe. Sysmon Event ID 1 with ParentImage of a browser process and ChildImage of wscript.exe is the primary signal. Event ID 3 network connections from wscript.exe to non-Microsoft domains is the supporting signal. The C2 traffic is HTTPS to compromised WordPress sites, often the same class of compromised legitimate host as the initial redirect. Beacon intervals are jittered. JA3 fingerprints are standard Windows TLS stack. There is no exotic indicator. The detection has to be behavioural - a scripting host making outbound HTTPS connections is anomalous regardless of destination reputation.

The credential harvest branch produces nothing on the endpoint beyond a browser visiting a phishing page. Detection moves to identity. Entra ID sign-in logs show authentication from the attacker’s IP, typically a residential proxy in the same country as the victim to defeat impossible-travel rules. The signal is session token replay - the attacker uses the harvested credential plus MFA bypass via adversary-in-the-middle frameworks like Evilginx3 or Tycoon 2FA, then replays the stolen session token. Detection requires correlating sign-in IP, ASN, and device fingerprint deltas between the legitimate session and the replayed one. Microsoft’s Token Protection in Conditional Access binds the refresh token to the device. Where it is enforced, the replay fails. Where it is not, the attacker holds the session until forced rotation.

The technical reality after cleanup. Harvard and the other 140 hosts will remove the injected files. Search engines will deindex the malicious paths over weeks. The TDS infrastructure rotates faster than takedowns. The actor operating this campaign has a model that does not depend on any single host - the value is the aggregate reputation pool, and the pool is replenished from the next batch of unpatched CMS instances. The residual exposure is in every public-facing CMS that has not patched the same plugin classes, in every web filter that scores at the FQDN level, and in every EDR rule that suppresses encoded PowerShell when the parent looks administrative. The patch for any one CVE in the entry path closes one door. The campaign continues through the other 200,000.