Australia Warns That Fake Cloudflare CAPTCHAs on Real Australian Websites Are Pushing Vidar Stealer
The Australian Signals Directorate's Australian Cyber Security Centre published an advisory on May 7, 2026 warning that pro-criminal threat actors are using compromised legitimate Australian WordPress websites as launch pads for ClickFix social-engineering attacks delivering the Vidar Stealer information-stealing malware. Visitors to compromised Australian business websites are shown a fake Cloudflare verification prompt that copies a malicious PowerShell command to their clipboard, then instructs them to paste and run it with administrator privileges. ClickFix usage surged 517 percent across 2025 per ESET, has spawned multiple variants (CrashFix, ConsentFix, PhantomCaptcha), and is now in active use by nation-state groups including Kimsuky/TA427, MuddyWater, and APT28.
On May 7, 2026, ASD's ACSC published an advisory on cyber.gov.au titled "ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure." The agency confirmed it has "observed ClickFix associated activity leveraging WordPress hosted infrastructure to distribute the Vidar Stealer malware" against "Australian infrastructure and organisations across multiple sectors." The campaign is delivered through a multi-stage chain: an attacker injects a payload-delivery domain into a compromised legitimate WordPress site, that domain loads JavaScript that overwrites the page content with a fraudulent Cloudflare verification prompt, the JavaScript silently copies an obfuscated PowerShell command to the user's clipboard, and the user is then instructed to manually execute the copied command with administrator privileges. The PowerShell payload retrieves Vidar Stealer from the same payload domain. The advisory provides MITRE ATT&CK technique mappings and a downloadable IOC CSV for defenders.
The single most consequential element of the advisory is what it says about the maturity of the technique. ClickFix has been observed since early 2024, but its growth curve through 2025 was sharp: ESET tracked a 517 percent surge in attacks across the year. Multiple named variations have proliferated — CrashFix, ConsentFix, PhantomCaptcha — and nation-state operators including North Korea's Kimsuky/TA427, Iran's MuddyWater, and Russia's APT28 have adopted the technique alongside ransomware crews like Qilin, Termite, Interlock, and LeakNet. Halcyon's ransomware operations team prevented over 10 pre-ransomware ClickFix instances in March-April 2026 alone. ClickFix is no longer a novel emerging threat; it is standard tradecraft for both commodity infostealer crews and serious actors. The ACSC's regional advisory is a signal that the technique has saturated the threat landscape to the point where individual national CERTs need to publish their own guidance. The Australian-business-website twist matters because it removes the "don't visit suspicious sites" defense — your users are encountering this attack on websites they have legitimate reasons to visit.
| ACSC ClickFix / Vidar Advisory Profile | |
|---|---|
| Detail | Information |
| Issuing agency | Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) |
| Published | May 7, 2026 at cyber.gov.au |
| Technique | ClickFix social engineering — fake Cloudflare "Verify you are human" prompt loaded via injected JavaScript on compromised WordPress sites; obfuscated PowerShell command silently copied to clipboard for user-executed paste-and-run |
| Lure platform | Compromised legitimate Australian business WordPress websites; JavaScript loads from external API server and overwrites page content |
| Final payload | Vidar Stealer — info-stealing malware-as-a-service active since late 2018 |
| Vidar capabilities | Browser passwords, cookies, autofill, cryptocurrency wallets, system details; primarily Windows |
| Vidar evasion | Self-deletes executable after launch; operates primarily in memory; HTTP/S POST C2 communications; dead-drop URLs hosted on Telegram bots and Steam profiles to hinder takedown |
| Target geography | Australian infrastructure and organisations across multiple sectors; specific victim entities not publicly named |
| 2025 ClickFix surge | ESET tracked 517% increase in ClickFix attacks across 2025; named variants include CrashFix, ConsentFix, PhantomCaptcha |
| Nation-state adopters | Kimsuky/TA427 (North Korea), MuddyWater (Iran), APT28 (Russia GRU); plus ransomware crews Qilin, Interlock, Termite, LeakNet |
| Related Rapid7 campaign | Separate ClickFix WordPress campaign documented by Rapid7 since December 2025: 250+ compromised sites across 12 countries (including Australia); delivered Vidar Stealer plus newly-named Impure Stealer (.NET), VodkaStealer (C++), and DoubleDonut Loader |
| Mitigation guidance | ACSC recommendations aligned with the ASD Information Security Manual; MITRE ATT&CK technique mappings and IOC CSV provided in advisory appendix |
How the ClickFix Chain Actually Works
The technique is mechanically simple, which is part of why it has scaled. The attacker compromises a legitimate WordPress site — typically through one of the well-known plugin or theme vulnerabilities, or through credential reuse against admin accounts — and injects a single small JavaScript snippet. The snippet has detection logic to avoid administrators (it checks for a WordPress admin cookie before doing anything malicious) and only fires for ordinary visitors. When it does fire, it loads a second-stage script from an attacker-controlled API server, which overwrites the page content with a Cloudflare-styled "Verify you are human" challenge. The user clicks the verification checkbox; a pop-up instructs them to open Windows Run (Win+R), paste a command, and execute it with administrator privileges. The clipboard contains an obfuscated PowerShell command, which when run reaches back to the same attacker domain to download and execute the Vidar Stealer binary.
What makes ClickFix uniquely effective is the social-engineering frame. Traditional malware-distribution chains require the user to download and run an executable, which triggers Windows SmartScreen, Mark-of-the-Web warnings, and endpoint protection scanning. ClickFix routes around all of those by having the user themselves type — or rather, paste — a command into a system shell. PowerShell is a trusted Windows component; nothing about the act of running it raises any platform-level alarm. The attacker delegates the security-warning-bypass step to the user, who has just been told this is part of a routine verification process. Once the PowerShell command runs, Vidar's evasion mechanics take over: the binary self-deletes after launch, runs in memory to minimize forensic artifacts, and beacons over HTTP/S POST to dead-drop infrastructure on Telegram bots and Steam profiles — both of which are services many enterprise networks allow because they are consumer applications staff use legitimately.
ClickFix as Standard Tradecraft, Not Novel Threat
The 2025-to-2026 trajectory makes the case that ClickFix has saturated the threat ecosystem. ESET's 517 percent year-over-year surge across 2025 is the headline number; the qualitative evidence is the diversity of operators now using it. Halcyon's ransomware analysts attribute prevented incidents to Qilin, Termite, Interlock, and LeakNet operators, all using ClickFix as initial access for ransomware deployment. Microsoft's Threat Intelligence team has documented Kimsuky/TA427 (North Korea), MuddyWater (Iran), APT28 (Russia GRU), and UNK_RemoteRogue using the technique. Rapid7's December-2025-onward WordPress campaign hit 250+ sites across 12 countries — including Australia — and delivered three different infostealers including two newly-named (Impure Stealer in .NET, VodkaStealer in C++) plus a DoubleDonut Loader for shellcode injection. Sekoia documented a separate framework called IClickFix injected into 3,800+ WordPress sites since 2024. ClearFake (the earlier name for the same family Sucuri tracks) has appeared on more than 25,000 compromised sites cumulatively since August 2023.CyberSignal's social engineering coverage tracks the broader pattern of clipboard-execution and fake-verification lures.
The technique is also evolving. As of April 2026, Halcyon documented a variant that automates the manual paste step via rundll32.exe, eliminating even the user-action requirement. Microsoft's threat intelligence has reported a separate variant substituting the Windows Run dialog (Win+R) with the Windows Terminal app (Win+X) for command execution — useful in environments where Run has been disabled. Trend Micro documented TikTok-video lures delivering Vidar and StealC. The technique is being iterated faster than most defensive teams can update their training. The implication for defenders is that user education alone cannot keep up; the controls have to sit at the platform layer.
Why "Real Australian Websites" Changes the Defense Equation
The ACSC's specific framing — that compromised legitimate Australian business websites are being used as the lure platform — is the operationally significant geographic detail. The traditional user-education advice for malware distribution has been some version of "don't visit suspicious websites," "check the URL," and "verify the site is legitimate." Those defenses fail completely when the site is legitimate. Australian users encountering this attack are visiting websites they have business reasons to visit: their accountant's site, their local council's site, their gym's site, their kids' school's site. The Cloudflare verification prompt looks indistinguishable from a real one because Cloudflare is the most common DDoS-protection and bot-mitigation service on the global web — most users have legitimately seen Cloudflare verification challenges hundreds of times.
The defensive response has to be at the technical control layer, not the user-education layer. The single most effective single GPO change — blocking or restricting the Windows Run dialog (Win+R) for end-user accounts where business-justifiable — neutralizes the majority of ClickFix variants. The vast majority of legitimate users never need Run; attackers depend on it. PowerShell Constrained Language Mode for non-admin accounts blocks clipboard-to-PowerShell execution for the use cases where it is operationally feasible. Behavioral detection on PowerShell processes spawned with obfuscated long command-line strings (200+ characters with base64, character substitution, or IEX/Invoke-Expression patterns) catches what gets through. The combination of these controls makes ClickFix substantially harder to land successfully — and attackers facing higher-friction targets tend to migrate to softer ones.
Defender Actions for Australian and Global Organizations
- For Australian organizations: treat the ACSC advisory as a national-level alert. Brief IT and security teams on the specific behavioral indicators — Run-dialog command execution from clipboard, PowerShell processes with obfuscated 200+ character command lines, connections to Telegram bot APIs (api.telegram.org) and Steam profile URLs from non-user processes. Pull the MITRE ATT&CK technique mappings and IOC CSV from the ACSC advisory directly into your detection tooling.
- For all organizations: block the Windows Run dialog (Win+R) for end-user accounts via Group Policy where business-justifiable. The vast majority of legitimate users never need it; this single GPO change neutralizes most ClickFix variants in one stroke. Where Run cannot be blocked, restrict its use to admin accounts only and add behavioral detection on Run-spawned PowerShell.
- Apply PowerShell Constrained Language Mode for non-admin accounts where business operations permit. Detect on PowerShell processes spawned with obfuscated command-line strings — base64 patterns, character substitution, IEX/Invoke-Expression. PowerShell script-block logging (4104) and module logging (4103) provide the visibility most defenders are missing.
- Educate users on the specific lure pattern. Any "verification" prompt that asks them to copy and paste anything, or to open a Run dialog and execute a command, is malicious without exception. There is no legitimate Cloudflare workflow, no legitimate Microsoft-Defender workflow, no legitimate "verify your browser" workflow that requires this. Document the specific lure language; train against it; test against it. Make this a top-tier user-awareness item, not a footnote.
- Audit Telegram and Steam egress from corporate endpoints. Vidar Stealer specifically uses Telegram bots and Steam profiles for C2 — these are services many enterprises do not block at the perimeter because they are consumer applications. If your organization allows Telegram and Steam access, you have blind spots in egress monitoring; coordinate with network teams to flag anomalous outbound connections to these services from corporate-managed endpoints, particularly from non-user processes.
The CyberSignal Analysis
Signal 01 — National CERT advisories on ClickFix mark the saturation point
When a national cyber-defense agency publishes a regional advisory on a technique, that technique has crossed the threshold from "emerging" to "established and broadly impactful enough to require national-level guidance." ACSC's advisory follows similar regional alerts from Microsoft, ESET, Halcyon, Rapid7, Sekoia, GoDaddy/Sucuri, and Trend Micro across 2025 and early 2026. The cumulative reporting picture is that ClickFix is now part of the standard initial-access toolkit for everyone from commodity infostealer crews to major nation-state actors. The defensive response needs to match: treat ClickFix as a baseline threat that every endpoint protection program should already be configured against, not as an emerging-threat-of-the-month. If your organization's security awareness program does not include the specific "verify-by-pasting-a-command" lure as of mid-2026, that is a gap to close this quarter, not a future improvement.
Signal 02 — Compromised legitimate websites are the new endemic delivery mechanism
The traditional defensive posture against drive-by malware delivery rested partly on the heuristic that suspicious websites can be flagged, blocklisted, or avoided. The ClickFix WordPress campaign pattern — 250+ compromised legitimate sites across 12 countries in Rapid7's tracking, 3,800+ in Sekoia's tracking, 25,000+ cumulative in Sucuri's tracking — collapses that heuristic. The lure platform is the long tail of small-business, regional-news, and local-services WordPress sites that have legitimate audiences and lack the security maturity to detect injected JavaScript on their own pages. There is no realistic blocklist that captures this attack surface; the universe of legitimate WordPress sites is too large and too dynamic. The defensive shift is from URL-based reputation to behavior-based detection: the question moves from "is this site trusted?" to "is what this site is asking the user's browser to do consistent with legitimate site behavior?" That is a harder defensive problem, and one that legacy web-filtering products handle poorly. Browser-level extensions (uBlock Origin with malicious-script filters, Malwarebytes Browser Guard with clipboard-write detection) have become more relevant defenses than traditional web-proxy blocklists.
Signal 03 — User education is necessary but no longer sufficient
ClickFix's success against well-trained users is the uncomfortable truth in the ESET 517-percent surge number. The technique works because it abuses two reasonable user beliefs: that Cloudflare verification challenges are routine, and that following on-screen instructions to paste a command is a normal IT-support workflow some users have actually been asked to do. No realistic security-awareness program can fully inoculate users against attacks that exploit reasonable beliefs. The implication is that the load-bearing controls have to sit at the platform layer — Group Policy restrictions on Run, PowerShell Constrained Language Mode, behavioral detection on obfuscated PowerShell, browser-level clipboard-write monitoring. User training remains valuable as a backstop, but treating it as a primary control against ClickFix is empirically a losing strategy. CISOs whose ClickFix defense is "we trained users on it" should expect to be visited by Vidar Stealer (or whatever follows it) sooner rather than later.
