Australia warns of ClickFix attacks pushing Vidar Stealer malware

Summary

The Australian Cyber Security Center (ACSC) has issued a warning about an ongoing ClickFix social engineering campaign targeting Australian organizations through compromised WordPress websites. The attack tricks users into executing malicious PowerShell commands via fake CAPTCHA prompts, leading to infection with Vidar Stealer, an info-stealing malware that harvests browser credentials, cryptocurrency wallets, and system data. ACSC recommends restricting PowerShell execution, implementing application allow-listing, and securing WordPress installations against the threat.

Full text

Australia warns of ClickFix attacks pushing Vidar Stealer malware By Bill Toulas May 7, 2026 02:00 PM 0 The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. ClickFix is a social engineering attack technique that tricks users into executing malicious commands, usually through fake CAPTCHA or browser verification prompts displayed on compromised or malicious websites. The attack typically tricks users into executing PowerShell commands to bypass security controls and deliver malware, typically info-stealers. Australian organizations and infrastructure entities are being targeted in attacks that involve compromised WordPress websites that redirect to malicious payloads. Users visiting these websites are shown a fake Cloudflare verification or CAPTCHA prompt that instructs them to copy and manually execute a malicious PowerShell command on their system, which leads to a Vidar Stealer infection. “The Australian Signals Directorate’s Australian Cyber Security Center (ASD's ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” reads the agency's advisory. Vidar Stealer is an information-stealing malware family and malware-as-a-service (MaaS) operation that emerged in late 2018. It gradually became a popular choice among cybercriminals for its cost-effectiveness, ease of deployment, and broad data theft capabilities. It targets browser passwords, cookies, cryptocurrency wallets, autofill information, and system details. It has been observed in ClickFix attacks, promoted through Windows fixes, TikTok videos, and GitHub. Last year, the developer released a new version with upgraded capabilities. ACSC notes that Vidar deletes its executable after launching on the infected device and then operates from system memory, reducing forensic artifacts. It retrieves a command-and-control (C2) address via “dead-drop” URLs using public services like Telegram bots and Steam profiles, a tactic that has been widely used in the past but which remains effective. ACSC recommends that organizations restrict PowerShell execution and implement application allow-listing to reduce the risk from these attacks. WordPress site administrators are also advised to apply available security updates for themes and add-ons, and to remove any unused themes/plugins from their platforms. ACSC's security bulletin provides indicators of compromise (IoCs) for these attacks, allowing organizations to set up defenses or detect intrusions. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New macOS stealer campaign uses Script Editor in ClickFix attackNew Infinity Stealer malware grabs macOS data via ClickFix luresShai Hulud attack ships signed malicious TanStack, Mistral npm packagesFake OpenAI repository on Hugging Face pushes infostealer malwareDAEMON Tools devs confirm breach, release malware-free version

Entities