TL;DR

This week, three major threat campaigns demand every business owner's attention: INC Ransom has built an aggressive affiliate model hammering critical networks across Australia, New Zealand, and the Pacific; a ClickFix social-engineering campaign is injecting Vidar Stealer into Australian infrastructure through compromised WordPress sites; and China-nexus state-sponsored actors have shifted tactics to build covert networks of compromised devices inside organisational perimeters. If you run WordPress, operate in Asia-Pacific, or connect anything to the internet, you have action items this weekend.

1. INC Ransom Affiliate Model — Ransomware-as-a-Service Goes Regional

The Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC), alongside New Zealand and Pacific island partner agencies, released a joint advisory this week on INC Ransom and its expanding affiliate network. INC Ransom operates on a ransomware-as-a-service (RaaS) model, recruiting affiliates who deploy the encryptor against targets they select — meaning the threat isn't one group with one playbook, it's dozens of operators using shared tooling against your region.

What happened. INC Ransom affiliates have been actively targeting critical infrastructure and corporate networks across Australia, New Zealand, and Pacific island states. The group leverages living-off-the-land techniques, valid account abuse, and double-extortion — exfiltrating data before encryption and threatening public release. The advisory notes affiliates are exploiting unpatched internet-facing services, particularly VPN concentrators and remote desktop gateways, to gain initial access.

How bad is it. INC Ransom has publicly listed over 180 alleged victims on its leak site since emerging in mid-2023, with a sharp uptick in APAC targets since early 2026. Individual ransom demands have ranged from USD $200,000 to over USD $5 million depending on organisational revenue and data sensitivity. The affiliate model means multiple simultaneous campaigns are likely running against targets in your region right now.

How it could have been prevented. The common thread across INC Ransom incidents is exploitable perimeter services. Patching VPN appliances within 48 hours of vendor security advisories, enforcing phishing-resistant MFA on all external-facing accounts, and segmenting critical networks so a perimeter breach doesn't reach file servers and backup repositories would have stopped the majority of known intrusions.

What your business should do this week:

  • Audit every internet-facing service (VPN, RDP gateways, webmail) for unapplied CVEs. Prioritise anything from Fortinet, Palo Alto, Citrix, or Cisco listed in CISA's Known Exploited Vulnerabilities catalogue.
  • Verify that backups are immutable and stored offline or in an air-gapped cloud bucket that no domain account can delete.
  • Run a table-top exercise: if you got the INC Ransom note on Monday morning, who picks up the phone and what is the first 60-minute response?

2. ClickFix + Vidar Stealer — Your WordPress Site Is the Attack Vector

The ASD ACSC issued an advisory this week on a social-engineering campaign dubbed "ClickFix" that uses compromised WordPress websites to distribute Vidar Stealer, specifically targeting Australian infrastructure operators.

What happened. Threat actors compromised legitimate WordPress sites — likely through vulnerable plugins or stolen admin credentials — and injected malicious JavaScript. When a visitor loads the page, they see a convincing prompt disguised as a browser update, captcha verification, or "fix" for a display error (hence "ClickFix"). Clicking the prompt downloads Vidar Stealer, an information-stealing malware that harvests saved browser credentials, cryptocurrency wallets, session cookies, and keystroke data from the victim's machine.

How bad is it. Vidar Stealer credentials sell on underground markets for USD $1–10 per credential bundle depending on the organisation's perceived value. A single infected employee machine can expose hundreds of corporate credentials in minutes. The Australian government flagged this specifically because the targeting is not random — the actors are selecting WordPress sites frequented by staff at Australian infrastructure organisations, suggesting reconnaissance and intent to use stolen credentials for deeper network compromise.

How it could have been prevented. WordPress sites with automatic plugin updates enabled, a Web Application Firewall (WAF), and admin accounts protected by MFA are dramatically harder to compromise. On the endpoint side, browser isolation or content disarm solutions prevent the fake prompt from ever executing. organisations that strip executable downloads at the email/web gateway layer also block the initial infection.

What your business should do this week:

  • Inventory every WordPress, Drupal, or CMS site your organisation owns or relies on. Confirm automatic updates are on for core and all plugins, and remove any plugin you are not actively using.
  • Deploy or verify endpoint detection and response (EDR) across all employee devices. Vidar Stealer is well-signatured; a competent EDR catches it before exfiltration.
  • Remind staff — via a short, specific message, not a generic annual training video — that no legitimate website will ever ask them to download a "fix" or browser update directly. Browser updates come through the browser's own update mechanism, period.

3. China-Nexus Covert Networks — The Quiet Compromise Inside Your Perimeter

A second joint advisory from ASD ACSC this week addresses a shift in tactics by China-nexus cyber actors who are building covert networks of compromised devices inside target organisations — not to steal data immediately, but to establish persistent, low-noise footholds for future operations.

What happened. These actors are compromising network edge devices — routers, VoIP systems, IoT sensors, and small-office NAS appliances — that organisations often forget to patch or monitor. Once inside, they use the devices as relay nodes, creating a mesh of compromised infrastructure that can be used for command-and-control, data exfiltration, or as launch points for attacks on other targets. The advisory specifically highlights a tactical shift: the actors are moving away from custom malware toward living-off-the-land techniques that blend in with normal device management traffic.

How bad is it. The danger here is asymmetry. Each individual compromised device looks like normal network traffic. The aggregate network, however, gives the adversary persistent, resilient access that survives individual device reboots, password resets, and even some firmware updates. Australian government assessments estimate that thousands of devices across the region have already been co-opted into these networks. For a business, the risk is dual: your compromised devices may be used to attack your own systems later, and they may make you an unwitting participant in attacks on others — creating legal and reputational exposure.

How it could have been prevented. Network segmentation that isolates IoT and edge devices from corporate VLANs, continuous monitoring of outbound traffic patterns from device subnets, and a firmware lifecycle policy that retires or patches every internet-connected device on a defined schedule.

What your business should do this week:

  • Pull a list of every device on your network that isn't a managed workstation or server. Routers from ISP-provided gateways, IP cameras, smart TVs, VoIP phones, NAS boxes — if it has a web interface, it needs a firmware patch schedule.
  • Enable NetFlow or similar traffic monitoring on your perimeter firewall and set an alert for any device subnet making unexpected outbound connections, especially to international IPs.
  • If you have devices you cannot patch or monitor, isolate them on a separate VLAN with no access to your corporate LAN or the internet beyond what they strictly require.

FAQ

Q: My business is small and based in North America. Do these Asia-Pacific advisories really apply to me? A: Yes. INC Ransom affiliates operate globally and have listed victims in the United States, Canada, and Europe alongside APAC targets. ClickFix campaigns expand to whichever WordPress sites receive traffic from target sectors. The underlying vulnerabilities — unpatched VPNs, unprotected WordPress, forgotten edge devices — exist in every organisation regardless of geography.

Q: What is Vidar Stealer and why should I care if I don't handle classified data? A: Vidar Stealer harvests saved browser passwords, session cookies, and autofill data. If an employee logs into your accounting platform, CRM, or cloud email from an infected machine, those credentials are captured and sold. Attackers then use them for business email compromise, invoice fraud, or as a foothold into your network. You do not need classified data to be a profitable target.

Q: Should we pay the ransom if hit by INC Ransom? A: Law enforcement agencies including the ASD, FBI, and Europol advise against paying ransoms. Payment does not guarantee data recovery, funds further criminal operations, and may violate sanctions regulations depending on the threat actor. Focus investment on prevention and tested backup restoration instead.

Q: How do I find out if we already have compromised edge devices? A: Check your firewall logs for unusual outbound connections from device IP addresses, especially on ports 443, 8080, or non-standard high ports. Run a vulnerability scan against all device subnets. If you see devices you cannot account for or firmware versions years out of date, assume compromise and plan a controlled rebuild.

Conclusion

Three campaigns this week share a common thread: they exploit the gap between what organisations know they should do and what they've actually done. INC Ransom succeeds because VPNs stay unpatched. ClickFix succeeds because WordPress plugins rot. China-nexus actors succeed because edge devices are invisible. None of these require zero-day exploits or nation-state budgets — they require discipline that most organisations haven't prioritised.

Your weekend action items, prioritised: patch every internet-facing service, inventory and update every WordPress site you control, and isolate or retire every unmanaged network device. If you do those three things before Monday, you've closed the majority of the attack surface these three campaigns depend on.

Need help figuring out where your gaps are? Visit consult.lil.business for a free cybersecurity assessment — we'll map your exposure against this week's threat landscape and give you a prioritised remediation plan.

References

  1. ASD ACSC Advisory — ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructurehttps://www.cyber.gov.au/about-us/advisories/clickfix-distributing-vidar-stealer-wordpress-targeting-australian-infrastructure
  2. ASD ACSC Advisory — INC Ransom Affiliate Model Enabling Targeting of Critical Networkshttps://www.cyber.gov.au/about-us/advisories/inc-ransom-affiliate-model-enabling-targeting-critical-networks
  3. ASD ACSC Advisory — Defending against China-nexus covert networks of compromised deviceshttps://www.cyber.gov.au/about-us/advisories/defending-against-china-nexus-covert-networks-compromised-devices
  4. CISA Known Exploited Vulnerabilities Cataloguehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog
  5. NIST Cybersecurity Framework 2.0https://www.nist.gov/cyberframework

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation