The Australian Cyber Security Centre (ACSC) has issued a warning about a malicious cyber campaign which exploits the ClickFix social engineering technique to deliver potent password-stealing malware.
In the alert, issued on May 7, Australian Signals Directorate’s (ADC) ACSC warned that the Vidar Stealer campaign is targeting infrastructure and organizations across multiple sectors.
Vidar Stealer is a form of infostealer which primarily targets Microsoft Windows users and is designed to steal sensitive information from victims. Information it targets includes usernames, passwords, credit card data, cryptocurrency wallets, browser history, multi-factor authentication (MFA) tokens and more. The malware has been active since 2018.
The ACSC has warned that a widespread campaign to distribute the malware combines compromised WordPress sites with ClickFix techniques.
Users are directed to compromised WordPress sites, which are then used to redirect to sites which are designed to deliver the malware.
The sites leverage ClickFix, a social engineering tactic which tricks users into unwittingly running malicious commands or downloading harmful payloads onto their own machines.
In this campaign, the ClickFix technique uses fake CAPTCHA verification prompts to convince users to execute malicious commands or scripts. Because the user is entering command, it commonly bypasses traditional cybersecurity protections.
Once deployed, Vidar Stealer employs defense‑evasion techniques, including self‑deletion of the initial executable, which enables the malware to persist and operate primarily in memory, making it harder to detect and remove.
How to Mitigate Vidar Stealer Attacks
The ACSC recommends that organizations follow guidance issued in the alert to counter the threat of Vidar Stealer and other malware campaigns distributed by ClickFix attacks. The advice includes:
- Restrict execution of unauthorised or unapproved applications, including downloaded executables and scripts
- Ensure WordPress, plugins, themes, browsers, and scripting engines are fully patched and up to date
- Block or limit clipboard write access from browser-based JavaScript and untrusted web content
- Ensure operating systems are kept fully patched with the latest security updates.
- Apply patches promptly to endpoints and servers, particularly those exposed to the internet
- Enforce phishing-resistant MFA
