Hacked sites deliver Vidar infostealer to Windows users
A cybercrime campaign compromises WordPress websites to deliver the Vidar infostealer malware to Windows users. Attackers inject malicious code into WordPress sites, filtering visitors to show fake CAPTCHA pages only to Windows desktop users. When victims interact with these pages, they are tricked into executing an HTA script that downloads and runs a malicious MSI installer. This installer deploys a GoLang loader which decrypts and loads the Vidar infostealer directly into memory, avoiding disk detection. The campaign targets users primarily in Italy, France, the United States, the United Kingdom, and Brazil. Vidar is an information-stealing malware capable of harvesting sensitive data such as credentials and system information. The infection chain leverages social engineering and multi-stage payloads to evade detection and maximize infection success. No known CVEs or exploits in the wild are reported yet, but the attack vector exploits compromised WordPress sites and user interaction. Organizations should monitor for suspicious HTA and MSI executions and secure WordPress installations to prevent site compromise.
AI Analysis
Technical Summary
This threat involves a multi-stage malware distribution campaign leveraging compromised WordPress websites to deliver the Vidar infostealer to Windows users. Attackers inject malicious scripts into WordPress sites that detect visitor platform and display a fake CAPTCHA page exclusively to Windows desktop users. This social engineering tactic tricks victims into running an HTA (HTML Application) script, which is a Windows scripting file capable of executing commands. The HTA script downloads and executes a malicious MSI installer, a Windows installer package. This MSI then deploys a GoLang-based loader that decrypts and loads the Vidar infostealer directly into memory, bypassing traditional file-based detection mechanisms. Vidar is a well-known infostealer malware family that collects credentials, browser data, cryptocurrency wallets, and system information. The use of a GoLang loader and in-memory execution complicates detection and removal. The campaign targets multiple countries including Italy, France, the United States, the United Kingdom, and Brazil. Indicators of compromise include suspicious domains such as cdnwoopress.com, walwood.be, and woopresscdn.com, as well as URLs linked to attacker infrastructure. The campaign exploits compromised WordPress sites, highlighting the risk of vulnerable or unpatched CMS installations. No CVE identifiers or known exploits in the wild are currently associated with this campaign. The attack requires user interaction to run the HTA script, but the infection chain is sophisticated and designed to evade detection through layered payloads and memory-only execution.
Potential Impact
The Vidar infostealer campaign poses significant risks to organizations and individual users by enabling attackers to harvest sensitive information such as login credentials, financial data, and system details. This stolen data can facilitate further attacks including account takeover, financial fraud, and lateral movement within networks. The use of compromised WordPress sites as distribution points increases the attack surface, potentially affecting organizations relying on WordPress for their web presence. The in-memory execution of the malware loader reduces the likelihood of detection by traditional antivirus and endpoint security solutions, increasing infection persistence and data exfiltration duration. The campaign's targeting of multiple countries with large internet user bases and significant economic activities amplifies its potential impact. Organizations with Windows desktop users are at risk, especially if users are not trained to recognize social engineering tactics like fake CAPTCHA prompts. The compromise of WordPress sites also undermines trust in affected websites and can lead to reputational damage. Although no known exploits in the wild or CVEs are reported, the campaign's sophistication and multi-stage infection chain indicate a medium-level threat with potential for escalation if attackers adapt or expand their tactics.
Mitigation Recommendations
1. Harden and regularly update WordPress installations, plugins, and themes to prevent site compromise. 2. Implement web application firewalls (WAFs) to detect and block malicious code injections on WordPress sites. 3. Monitor web server logs for unusual POST requests or injected scripts indicative of compromise. 4. Educate users to recognize and avoid interacting with suspicious CAPTCHA prompts or unexpected scripts, especially HTA files. 5. Restrict execution of HTA scripts and MSI installers via application whitelisting or endpoint protection policies. 6. Deploy endpoint detection and response (EDR) solutions capable of detecting in-memory execution and anomalous process behaviors such as GoLang loaders. 7. Use network monitoring to identify connections to known malicious domains like cdnwoopress.com, walwood.be, and woopresscdn.com. 8. Conduct regular threat hunting for indicators of compromise related to Vidar infostealer and associated infrastructure. 9. Implement multi-factor authentication (MFA) to reduce impact of credential theft. 10. Backup critical data and have incident response plans ready to isolate infected systems promptly.
Affected Countries
Italy, France, United States, United Kingdom, Brazil
Indicators of Compromise
- domain: cdnwoopress.com
- domain: walwood.be
- domain: woopresscdn.com
- url: http://steamcommunity.com/profiles/76561198735736086
- url: http://steamcommunity.com/profiles/76561198742377525
- url: http://telegram.me/dikkh0k
- url: http://telegram.me/pr55ii
Hacked sites deliver Vidar infostealer to Windows users
Description
A cybercrime campaign compromises WordPress websites to deliver the Vidar infostealer malware to Windows users. Attackers inject malicious code into WordPress sites, filtering visitors to show fake CAPTCHA pages only to Windows desktop users. When victims interact with these pages, they are tricked into executing an HTA script that downloads and runs a malicious MSI installer. This installer deploys a GoLang loader which decrypts and loads the Vidar infostealer directly into memory, avoiding disk detection. The campaign targets users primarily in Italy, France, the United States, the United Kingdom, and Brazil. Vidar is an information-stealing malware capable of harvesting sensitive data such as credentials and system information. The infection chain leverages social engineering and multi-stage payloads to evade detection and maximize infection success. No known CVEs or exploits in the wild are reported yet, but the attack vector exploits compromised WordPress sites and user interaction. Organizations should monitor for suspicious HTA and MSI executions and secure WordPress installations to prevent site compromise.
AI-Powered Analysis
Technical Analysis
This threat involves a multi-stage malware distribution campaign leveraging compromised WordPress websites to deliver the Vidar infostealer to Windows users. Attackers inject malicious scripts into WordPress sites that detect visitor platform and display a fake CAPTCHA page exclusively to Windows desktop users. This social engineering tactic tricks victims into running an HTA (HTML Application) script, which is a Windows scripting file capable of executing commands. The HTA script downloads and executes a malicious MSI installer, a Windows installer package. This MSI then deploys a GoLang-based loader that decrypts and loads the Vidar infostealer directly into memory, bypassing traditional file-based detection mechanisms. Vidar is a well-known infostealer malware family that collects credentials, browser data, cryptocurrency wallets, and system information. The use of a GoLang loader and in-memory execution complicates detection and removal. The campaign targets multiple countries including Italy, France, the United States, the United Kingdom, and Brazil. Indicators of compromise include suspicious domains such as cdnwoopress.com, walwood.be, and woopresscdn.com, as well as URLs linked to attacker infrastructure. The campaign exploits compromised WordPress sites, highlighting the risk of vulnerable or unpatched CMS installations. No CVE identifiers or known exploits in the wild are currently associated with this campaign. The attack requires user interaction to run the HTA script, but the infection chain is sophisticated and designed to evade detection through layered payloads and memory-only execution.
Potential Impact
The Vidar infostealer campaign poses significant risks to organizations and individual users by enabling attackers to harvest sensitive information such as login credentials, financial data, and system details. This stolen data can facilitate further attacks including account takeover, financial fraud, and lateral movement within networks. The use of compromised WordPress sites as distribution points increases the attack surface, potentially affecting organizations relying on WordPress for their web presence. The in-memory execution of the malware loader reduces the likelihood of detection by traditional antivirus and endpoint security solutions, increasing infection persistence and data exfiltration duration. The campaign's targeting of multiple countries with large internet user bases and significant economic activities amplifies its potential impact. Organizations with Windows desktop users are at risk, especially if users are not trained to recognize social engineering tactics like fake CAPTCHA prompts. The compromise of WordPress sites also undermines trust in affected websites and can lead to reputational damage. Although no known exploits in the wild or CVEs are reported, the campaign's sophistication and multi-stage infection chain indicate a medium-level threat with potential for escalation if attackers adapt or expand their tactics.
Mitigation Recommendations
1. Harden and regularly update WordPress installations, plugins, and themes to prevent site compromise. 2. Implement web application firewalls (WAFs) to detect and block malicious code injections on WordPress sites. 3. Monitor web server logs for unusual POST requests or injected scripts indicative of compromise. 4. Educate users to recognize and avoid interacting with suspicious CAPTCHA prompts or unexpected scripts, especially HTA files. 5. Restrict execution of HTA scripts and MSI installers via application whitelisting or endpoint protection policies. 6. Deploy endpoint detection and response (EDR) solutions capable of detecting in-memory execution and anomalous process behaviors such as GoLang loaders. 7. Use network monitoring to identify connections to known malicious domains like cdnwoopress.com, walwood.be, and woopresscdn.com. 8. Conduct regular threat hunting for indicators of compromise related to Vidar infostealer and associated infrastructure. 9. Implement multi-factor authentication (MFA) to reduce impact of credential theft. 10. Backup critical data and have incident response plans ready to isolate infected systems promptly.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securityboulevard.com/2026/03/hacked-sites-deliver-vidar-infostealer-to-windows-users/"]
- Adversary
- null
- Pulse Id
- 69b91a3de2106fb26b3bff52
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincdnwoopress.com | — | |
domainwalwood.be | — | |
domainwoopresscdn.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://steamcommunity.com/profiles/76561198735736086 | — | |
urlhttp://steamcommunity.com/profiles/76561198742377525 | — | |
urlhttp://telegram.me/dikkh0k | — | |
urlhttp://telegram.me/pr55ii | — |
Threat ID: 69b91afd771bdb17498f40cb
Added to database: 3/17/2026, 9:12:29 AM
Last enriched: 3/17/2026, 9:27:39 AM
Last updated: 3/17/2026, 2:06:31 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.