2025-09-25 –, Off-Main Track
In June 2025, CyberCX released a report on a highly orchestrated phishing campaign targeting popular WordPress hosting platform WP Engine, dubbed “DarkEngine”, which led to the compromise of at least 2,350 unique WordPress websites worldwide to deliver information stealer and remote access trojan malware through fake CAPTCHA prompts.
ClickFix (and fake CAPTCHA) have become increasingly common as initial access vectors for individuals and organizations with their detonation often leading to the compromise of sensitive credentials and information used to provide a foothold into organizations’ environments. But how do they get there in the first place?
In this presentation, the lead author of this report shares their research and analysis journey of this campaign’s operations and infrastructure as well as providing detection and defence measures that organizations can put in place to reduce the risk of users falling victim to these increasingly common tactics.
Join your conductor, Liam Wilkinson, on this journey of exposed threat actor infrastructure, scripting, and open-source intelligence to trace the tracks of the operations behind “DarkEngine”.
Liam began his cybersecurity journey in 2020 and currently works as a Senior Capability Developer in the Digital Forensics & Incident Response (DFIR) team at CyberCX. In his current role, he is responsible for designing, implementing and maintaining various in-house and third-party tooling used by the DFIR practice, as well as contributing to investigations specializing in cloud and application security.
He currently holds the GIAC Certified Forensic Analyst (GCFA) and GIAC Cloud Security Automation (GCSA) certifications and has a wealth of knowledge and experience in digital forensics, incident response, application security, and software engineering.