Recently, we worked on a WordPress website showing a fake reCAPTCHA widget randomly. No visible malware was found in the source code, and the database was also free of any suspicious code. However, after analysing the raw access logs with Claude, we discovered that several JS files were modified between 25 May 2026, 04:06 and 05:08.
No suspicious POST requests were observed, which indicates that the cPanel password was likely compromised.
Try our free site check.
A malware analyst will provide a security report for your website.
How to find the infected files?
To find the corrupted files, pack all the PHP & JS files then look for:
;(function(_0
How to clean the website?
- Perform a full backup of the website (files and database).
- Restore core files, plugins, and themes from a legitimate source.
- Change all user passwords (admin accounts).
- Review hosting access and change FTP / cPanel / Plesk passwords.
- Check current cron jobs for any suspicious or unknown tasks.
- Apply all available updates (WordPress core, plugins, themes).
- Monitor the website for any further suspicious activity.
Sample of infected file (jquery.min.js):
https://gist.github.com/magefix/7ed6ccdf9196873b50f521a05a28414d
PowerShell (sample):
https://gist.github.com/magefix/994fdabe1b1e4fcf8337761b58d5554a
shellcode loader / in-memory PE injector:
https://gist.github.com/magefix/e482e249292afcbda0799aa80781e492
Malicious URLs (domains): slndcdnclaud.beer, 158.94.208.104.
Malicious IPs: 178.16.52.101, 158.94.208.104 (AS202412 Omegatech LTD).
Other malicious .beer domains: fontawesome-js-cdn.beer, awesomeisojs.beer, slngftr.beer, stabcdnvlc.beer, framesavecloudjs.beer, bcncdncl-ns.beer, bkscndclou.beer, lcates-vs.beer, teamcss.beer, bbdsnssserver.beer, jsframeworkns.beer, clainasns.beer, wpteamcdn.beer, smnsdns.beer, lndteam.beer, capcha-cdn-js.beer, slndcdnclaud.beer, neiwteamcdn.beer, vsactivens.beer, best-claudns-js.beer, dreff-nsdns.beer, workcdnmass.beer, chekbrow.beer, siteamnsserv.beer, vsbnsbootstrup.beer, polygon-date.beer, exdanteam.beer, smetana-js.beer, lckcdnjs.beer, nfstsrcdn.beer, viscdnclaud.beer, lcstdnsns.beer, sdnssmdf-js.beer, nvbfcdnclaud.beer, js-server.beer, nsservclod.beer, ssjscrybootstrup.beer, vnmdnns.beer, clacndjsvulnarbi.beer, anlytic-js-cloud.beer, ldnscreatejs.beer, lenteam.beer, lsnsdns.beer, claudesave.beer, cdn-yethounds.beer, dhnsdns.beer, cdn-plugin-js.beer, vnmstokns.beer
Conclusion: The fake Google reCAPTCHA is part of a sophisticated malicious chain based on a PowerShell downloader. In this case, the payload goes beyond simple script injection and uses in-memory execution (VirtualAlloc + CreateThread) to run malicious code directly on the victim’s system without writing files to disk.
As soon as unusual verification widgets appear on a website (especially fake Cloudflare or Google reCAPTCHA prompts), the site should be taken offline immediately.