The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware.
ClickFix is a social engineering attack technique that tricks users into executing malicious commands, usually through fake CAPTCHA or browser verification prompts displayed on compromised or malicious websites.
The attack typically tricks users into executing PowerShell commands to bypass security controls and deliver malware, typically info-stealers.
Australian organizations and infrastructure entities are being targeted in attacks that involve compromised WordPress websites that redirect to malicious payloads.
Users visiting these websites are shown a fake Cloudflare verification or CAPTCHA prompt that instructs them to copy and manually execute a malicious PowerShell command on their system, which leads to a Vidar Stealer infection.
“The Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” reads the agency’s advisory.
Vidar Stealer is an information-stealing malware family and malware-as-a-service (MaaS) operation that emerged in late 2018.
It gradually became a popular choice among cybercriminals for its cost-effectiveness, ease of deployment, and broad data theft capabilities. It targets browser passwords, cookies, cryptocurrency wallets, autofill information, and system details.
It has been observed in ClickFix attacks, promoted through Windows fixes, TikTok videos, and GitHub. Last year, the developer released a new version with upgraded capabilities.
ACSC notes that Vidar deletes its executable after launching on the infected device and then operates from system memory, reducing forensic artifacts.
It retrieves a command-and-control (C2) address via “dead-drop” URLs using public services like Telegram bots and Steam profiles, a tactic that has been widely used in the past but which remains effective.
ACSC recommends that organizations restrict PowerShell execution and implement application allow-listing to reduce the risk from these attacks.
WordPress site administrators are also advised to apply available security updates for themes and add-ons, and to remove any unused themes/plugins from their platforms.
ACSC’s security bulletin provides indicators of compromise (IoCs) for these attacks, allowing organizations to set up defenses or detect intrusions.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
