Australia warns of ClickFix attacks pushing Vidar Stealer malware
Source: Bleeping Computer
Overview
The Australian Cyber Security Centre (ACSC) warns that a malware campaign is using the ClickFix social‑engineering technique to distribute the Vidar Stealer information‑stealing malware against Australian organisations and critical infrastructure.
What is ClickFix?
ClickFix tricks users into executing malicious commands, typically by displaying a fake CAPTCHA or browser verification prompt on compromised or malicious websites. The prompt instructs users to copy and manually run a PowerShell command, which bypasses security controls and delivers malware—most often an info‑stealer.
Attack Vector
- Compromised WordPress sites redirect visitors to malicious payloads.
- Users see a counterfeit Cloudflare verification or CAPTCHA that tells them to run a PowerShell command.
- Executing the command installs Vidar Stealer, which then runs from memory and deletes its executable to minimise forensic traces.
The ACSC advisory notes that the campaign leverages WordPress‑hosted infrastructure to target Australian infrastructure entities.
Read the ACSC advisory
About Vidar Stealer
Vidar Stealer is a malware‑as‑a‑service (MaaS) family that emerged in late 2018. It is popular for its low cost, ease of deployment, and broad data‑theft capabilities, including:
- Browser passwords and cookies
- Cryptocurrency wallet credentials
- Autofill information
- System details
The malware retrieves its command‑and‑control (C2) address via “dead‑drop” URLs that use public services such as Telegram bots and Steam profiles. This technique has been widely used in the past and remains effective.
Recent observations show Vidar Stealer being promoted through:
- Fake “Windows fixes” articles
- TikTok videos
- GitHub repositories
The developer released a new version with multi‑threaded data theft and improved evasion.
Version 2.0 release details
Recommendations
- Restrict PowerShell execution and enforce application allow‑listing.
- Patch WordPress installations: apply security updates for themes and plugins, and remove any unused components.
- Monitor for Indicators of Compromise (IoCs) provided in the ACSC security bulletin to detect or block infections.
References
- ACSC advisory on ClickFix attacks (see above).
- “Fake IT‑support sites push malicious PowerShell scripts as Windows fixes” – BleepingComputer.
- “TikTok videos now push infostealer malware in ClickFix attacks” – BleepingComputer.
- “Claude code leak used to push infostealer malware on GitHub” – BleepingComputer.
- “Vidar Stealer abuses Mastodon to silently get C2 configuration” – BleepingComputer.
- “Bing AI promoted fake OpenClaw GitHub repo pushing info‑stealing malware” – BleepingComputer.