The ACSC has issued an alert regarding a campaign distributing Vidar Stealer malware via compromised WordPress sites using the ClickFix social engineering technique, which employs fake CAPTCHA prompts to trick users into executing malicious commands that bypass traditional defenses. The article does not provide a CVSS score, specific affected software version ranges, or a fixed version number. Recommended workarounds and mitigations include restricting execution of unauthorized applications, ensuring all software is fully patched, blocking clipboard write access from browser JavaScript, and enforcing phishing-resistant MFA.
The Australian Cyber Security Centre (ACSC) has issued a warning about a malicious cyber campaign which exploits the ClickFix social engineering technique to deliver potent password-stealing malware. In the alert, issued on May 7, Australian Signals Directorate’s (ADC) ACSC warned that the Vidar Stealer campaign is targeting infrastructure and organizations across multiple sectors. Vidar Stealer is a form of infostealer which primarily targets Microsoft Windows users and is designed to steal sensitive information from victims. Information it targets includes usernames, passwords, credit card data, cryptocurrency wallets, browser history, multi-factor authentication (MFA) tokens and more. The malware has been active since 2018. The ACSC has warned that a widespread campaign to distribute the malware combines compromised WordPress sites with ClickFix techniques . Users are directed to compromised WordPress sites, which are then used to redirect to sites which are designed to deliver the malware. The sites leverage ClickFix, a social engineering tactic which tricks users into unwittingly running malicious commands or downloading harmful payloads onto their own machines. In this campaign, the ClickFix technique uses fake CAPTCHA verification prompts to convince users to execute malicious commands or scripts. Because the user is entering command, it commonly bypasses traditional cybersecurity protections. Once deployed, Vidar Stealer employs defense‑evasion techniques, including self‑deletion of the initial executable, which enables the malware to persist and operate primarily in memory, making it harder to detect and remove. How to Mitigate Vidar Stealer Attacks The ACSC recommends that organizations follow guidance issued in the alert to counter the threat of Vidar Stealer and other malware campaigns distributed by ClickFix attacks. The advice includes: Restrict execution of unauthorised or unapproved applications, including downloaded executables and scripts Ensure WordPress, plugins, themes, browsers, and scripting engines are fully patched and up to date Block or limit clipboard write access from browser-based JavaScript and untrusted web content Ensure operating systems are kept fully patched with the latest security updates. Apply patches promptly to endpoints and servers, particularly those exposed to the internet Enforce phishing-resistant MFA