THE Australian Cyber Security Centre (ACSC) has issued a warning about a malicious campaign that exploits the ClickFix social engineering technique to deliver Vidar Stealer, a password‑stealing malware, in a campaign that has targeted infrastructure and organisations across multiple sectors.
Vidar Stealer is a form of infostealer which primarily targets Microsoft Windows users and is designed to steal usernames, passwords, credit card data, cryptocurrency wallet details, browser history and MFA tokens, among other data, and the malware has been active since 2018. The ACSC warned that a widespread campaign distributes the malware by combining compromised WordPress sites with ClickFix techniques, directing users to compromised sites that redirect to pages delivering the malware.
The ClickFix method uses fake CAPTCHA prompts to persuade users to run malicious commands or scripts, and the malware employs defence‑evasion techniques such as self‑deletion of the initial executable to persist and operate mainly in memory. According to Australian Signals Directorate’s (ADC) ACSC, organisations should follow the alert’s guidance, including patching WordPress components and enforcing phishing‑resistant MFA. The alert was issued on 7 May 2026, with the information published on 8 May 2026.