### ClickFix Exploits Target Australian Infrastructure ClickFix is a social engineering attack that tricks users into executing malicious commands, often through fake CAPTCHA or browser verification prompts on compromised or malicious websites. These attacks typically involve users executing **PowerShell** commands, bypassing security controls to deliver malware, commonly info-stealers. Australian organizations and infrastructure entities are the primary targets, with compromised **WordPress** websites redirecting users to malicious payloads. Users visiting these sites are presented with a fake **Cloudflare** verification or CAPTCHA prompt, instructing them to copy and manually execute a malicious PowerShell command, leading to a Vidar Stealer infection. "The Australian Signals Directorate’s Australian Cyber Security Center (ASD's ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” according to the agency's advisory. ### Vidar Stealer: A Cost-Effective Info-Stealing Solution **Vidar Stealer** is an information-stealing malware family and malware-as-a-service (MaaS) operation that emerged in late 2018. It has become a popular choice among cybercriminals due to its cost-effectiveness, ease of deployment, and broad data theft capabilities. The malware targets browser passwords, cookies, cryptocurrency wallets, autofill information, and system details. Vidar has been observed in ClickFix attacks, promoted through fake Windows fixes, **TikTok** videos, and **GitHub**. Last year, the developer released a new version with upgraded capabilities. ### Vidar's Stealth and C2 Communication ACSC notes that Vidar deletes its executable after launching on the infected device and then operates from system memory, reducing forensic artifacts. It retrieves its command-and-control (C2) address via “dead-drop” URLs using public services like **Telegram** bots and **Steam** profiles. ### Mitigation Recommendations ACSC recommends that organizations restrict PowerShell execution and implement application allow-listing to reduce the risk from these attacks. WordPress site administrators are also advised to apply available security updates for themes and add-ons, and to remove any unused themes/plugins from their platforms. ACSC's security bulletin provides indicators of compromise (IoCs) for these attacks, enabling organizations to establish defenses or detect intrusions.  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)