The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has warned that ClickFix activity is using compromised WordPress sites to distribute Vidar Stealer malware. The May 7 advisory says the campaign targets Australian infrastructure and organisations across multiple sectors, but the mechanics are relevant to any Windows user who trusts a fake verification prompt on a legitimate-looking site.
Update: KongTuke has now been observed moving the same paste-and-run social-engineering idea into collaboration chat. See our coverage of Microsoft Teams help-desk lures dropping ModeloRAT.
The attack is effective because the website is not always fake. ACSC describes legitimate WordPress pages being injected with a payload domain that loads external JavaScript, replaces the page with a fraudulent verification screen, and copies an obfuscated PowerShell command to the visitor’s clipboard. The victim is then instructed to run the command manually, often with administrative privileges, which pulls down Vidar with little visible activity.
What makes this different from a normal CAPTCHA
A real CAPTCHA does not need a visitor to open Windows Run, paste a command, or approve PowerShell. That manual step is the entire ClickFix trick: the browser supplies the clipboard content, and the user becomes the execution path. For endpoint teams, the useful signal is not only the final Vidar binary; it is the sequence of browser clipboard write, PowerShell launch, outbound download from the same injected payload domain, and follow-on HTTP/S POST traffic.
Vidar is an infostealer, so the impact is broader than one infected host. ACSC notes that Vidar can steal credentials, browser data, cryptocurrency wallet material, and system information, and that follow-on activity can use the stolen data. In practical terms, a confirmed ClickFix execution should trigger browser credential review, session/token revocation for work accounts used on the machine, wallet checks, and monitoring for new sign-ins from unfamiliar infrastructure.
For Windows triage, look for recently executed PowerShell commands launched after a browser visit, especially obfuscated commands copied from a web page, script-block logging that includes remote download logic, and outbound connections to newly seen domains followed by POST requests. For website owners, the starting point is different: review recently modified WordPress theme, plugin, and template files, check for injected script tags or iframe loaders, remove unused plugins and themes, and compare the live page source against a known-good backup.
This is a direct continuation of the pattern Gridinsoft covered in ClickFix evolution and fake CAPTCHA malware delivery. The concrete rule for users is simple but specific: a verification page may ask you to click, solve, or wait, but it should never ask you to paste code into Windows. If that happened, treat it as malware execution, not as a suspicious page that was merely visited.
Update: a newer Ghost CMS campaign shows the same ClickFix idea moving through poisoned CMS content. See Gridinsoft’s report on Ghost CMS sites abused for ClickFix malware delivery.
References
- ASD’s ACSC, “ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure,” first published May 7, 2026, updated May 7, 2026. Advisory
Related WordPress risk: Gridinsoft later covered Burst Statistics CVE-2026-8181, an exploited plugin authentication bypass that can lead to administrator takeover.
Related cleanup guide
Related: If the ClickFix or fake CAPTCHA chain started from a game, mod, or private download, use the infostealer after game or mod recovery checklist.
Site owners should also check WP Maps Pro CVE-2026-8732 if they use map or location-directory features, because a rogue administrator account can be the first step before script injection or ClickFix-style visitor abuse.
For a newer WordPress malware example where attackers hide command-and-control data outside the site itself, see our coverage of the Steam C2 WordPress backdoor.
If a compromised WordPress site also runs vulnerable plugins, check recent administrator activity too. A separate Kirki CVE-2026-8206 flaw shows how a reset-link issue can become a site-takeover path before malware is installed.
