TL;DR

This week saw a coordinated wave of attacks hitting Australian infrastructure through compromised WordPress sites, a ransomware crew building an arsenal of EDR-killing tools, Nintendo's data stolen through a third-party survey platform, and a joint global advisory on China-nexus covert device networks. The common thread: attackers are targeting the weakest links in your perimeter — third-party vendors, unpatched web infrastructure, and endpoint detection tools themselves. Here's what happened, what it cost, and what you should do before Monday.

Incident 1: ClickFix Campaign Distributing Vidar Stealer via Compromised WordPress Sites Targeting Australian Infrastructure

What Happened

The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) issued an advisory this week warning that threat actors are actively targeting Australian networks using a social engineering technique called "ClickFix." Attackers are compromising legitimate WordPress websites and injecting fake verification prompts — typically mimicking Cloudflare CAPTCHA pages or browser-update notices. When a visitor clicks the prompt, they're tricked into copying and pasting a malicious PowerShell command into their terminal, which silently downloads and executes Vidar Stealer.

Vidar Stealer is a well-known infostealer that exfiltrates saved browser credentials, session cookies, cryptocurrency wallet data, and FTP client passwords. Once those credentials are harvested, attackers use them for lateral movement, email compromise, and follow-on ransomware deployment.

How Bad Is It

The ACSC advisory specifically calls out Australian infrastructure as the target — not a blanket global warning, but a directed alert about ongoing attacks against Australian organisations. Any business running WordPress sites or whose staff visit Australian WordPress-hosted pages is in the blast radius. Vidar Stealer infections have been linked to downstream ransomware incidents costing Australian SMBs anywhere from AUD 50,000 to over AUD 500,000 in recovery costs, downtime, and lost revenue, based on patterns seen in 2024–2025 incidents reported to the ACSC.

How It Could Have Been Prevented

The attack chain has multiple failure points, and each one is a prevention opportunity:

  1. WordPress site compromise: Unpatched WordPress plugins and themes are the initial access vector. Sites running outdated versions of popular plugins (especially form, SEO, and page-builder plugins) are being mass-scanned and compromised automatically.
  2. Social engineering on the visitor: The ClickFix technique relies on users executing clipboard-pasted commands. No legitimate website will ever ask you to paste text into a terminal or Run dialog.
  3. Endpoint detection gap: Vidar Stealer is detectable by modern EDR, but only if the endpoint is actually running EDR and the relevant IoC signatures are current.

What Your Business Should Do This Weekend

  • Patch every WordPress instance you operate — core, themes, and all plugins. If a plugin is abandoned or hasn't been updated in 12 months, remove it.
  • Brief your team on ClickFix: no website will ever legitimately ask you to copy-paste a command. If a site shows a "verification" prompt asking you to press Win+R or open a terminal, close the tab and report it.
  • Confirm your EDR is running on every endpoint, including remote and BYOD devices. Check the console for any agents that haven't reported in the last 24 hours.
  • Review saved browser credentials across the organisation — if you're relying on browser-saved passwords with no MFA on the underlying accounts, you're one Vidar infection away from credential theft.

Incident 2: Gentlemen Ransomware Deploying Multiple EDR Killers

What Happened

BleepingComputer reported this week that the Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of EDR (Endpoint Detection and Response) killer tools. These tools are designed to disable, blind, or crash endpoint security software before the ransomware payload executes, allowing affiliates to encrypt file systems without triggering alerts or automated containment.

This isn't a single tool — it's a portfolio. Gentlemen is offering multiple EDR-killing utilities to its affiliates, which means if one tool fails to neutralise a specific vendor's agent, another is available as a fallback. This dramatically increases the success rate against organisations that depend solely on EDR for endpoint defence.

How Bad Is It

EDR-killing tools have been a growing trend across ransomware groups since 2023, but Gentlemen's approach of building and maintaining an entire suite signals an escalation. When ransomware crews can reliably blind your endpoint detection, the time between initial access and encryption shrinks from days to hours — sometimes minutes. The average ransom demand for SMBs hit by RaaS operations using EDR killers sits between USD 250,000 and USD 1.5 million, based on publicly reported incident data from 2024–2025. Many Australian SMBs don't carry cyber insurance adequate to cover this range, and recovery time averages 21 days for organisations without offline backups.

How It Could Have Been Prevented

EDR killers typically exploit privileged access. If the attacker doesn't have admin-level access to the endpoint, most EDR-killing techniques fail. The defence is layered:

  1. Principle of least privilege: Standard users cannot kill EDR services. If your staff are running as local administrators, you've handed attackers the key to disabling your detection layer.
  2. Tamper protection: Modern EDR platforms support tamper-protected modes that resist service termination, driver-level attacks, and registry modification. This must be explicitly enabled — it is not always on by default.
  3. Immutable logging: If EDR is blinded, logs must still exist somewhere. Forward endpoint telemetry to a SIEM or log repository that the endpoint itself cannot modify or delete.

What Your Business Should Do This Weekend

  • Audit local admin accounts across all endpoints. Every user with local admin is a potential EDR-kill vector.
  • Log into your EDR console and verify tamper protection is enabled on every agent. If your vendor calls it something else (e.g., "self-protection," "anti-tamper"), find the equivalent setting.
  • Confirm your EDR telemetry is being forwarded to a central log store or SIEM — not just sitting on the endpoint where an attacker with admin access can wipe it.
  • Test your offline backup. If ransomware blinds your EDR and encrypts your network, the only thing that determines whether you pay the ransom is whether you can restore from a backup the attacker cannot reach.

Incident 3: Nintendo Data Stolen via Third-Party Survey Platform TinyPulse

What Happened

Nintendo of America confirmed to BleepingComputer that threat actors stole survey data from TinyPulse, a third-party employee engagement survey platform used internally by Nintendo. Nintendo's own systems were not compromised — the breach occurred entirely within TinyPulse's infrastructure. The stolen data includes survey responses and associated employee information.

This is a textbook supply chain compromise: Nintendo did everything right on its own perimeter, but a vendor with access to employee data was breached, and that data flowed out through the vendor's weakness, not Nintendo's.

How Bad Is It

For Nintendo, the impact is reputational and potentially regulatory — employee survey data can contain sensitive feedback, identifiable information, and internal organisational insights. For TinyPulse (a WebMD subsidiary), this is a direct breach of client trust with cascading consequences across every customer who used the platform. Supply chain breaches like this cost an average of USD 4.35 million per incident globally according to IBM's Cost of a Data Breach Report, with third-party-involved breaches consistently ranking among the most expensive because of the extended detection, notification, and remediation timeline.

How It Could Have Been Prevented

  1. Vendor security assessment: Before granting a SaaS vendor access to employee data, assess their security posture — SOC 2 Type II, ISO 27001, breach history, and their own third-party risk management.
  2. Data minimisation: Don't give a survey platform more data than it needs. If the tool only needs employee email addresses to send surveys, don't provide full names, departments, and organisational structure.
  3. Contractual breach notification: Your vendor agreements must require notification within 24–72 hours of any security incident. If you find out about a vendor breach from the news instead of from the vendor, your incident response is already behind.

What Your Business Should Do This Weekend

  • List every third-party SaaS tool that holds employee or customer data. For each, note what data they hold and when you last reviewed their security posture.
  • Check your top five vendors for breach notification clauses in your contracts. If there's no defined notification window, add one at next renewal.
  • Pull sensitive data out of SaaS tools that don't need it. Employee engagement platforms do not need home addresses, salary bands, or performance review data.

The Bigger Picture: China-Nexus Covert Device Networks

The ASD ACSC and partner agencies also released a joint advisory this week on China-nexus cyber actors shifting tactics to compromise and weaponise networks of consumer devices — routers, IoT hardware, and small-office network appliances — to build covert infrastructure for espionage and further attacks. These compromised device networks are being used as proxies to obfuscate attribution, launch follow-on attacks, and maintain persistent access to target environments.

For Australian businesses, the takeaway is simple: every unmanaged device on your network perimeter is a potential foothold. That old router in the branch office, the unpatched NAS in the back room, the IoT thermostat connected to the corporate VLAN — each is a candidate for conscription into someone else's botnet. Segment your network, retire devices you can't patch, and treat anything internet-facing as an attack surface that needs active monitoring.

FAQ

Q: What is ClickFix and how do I know if my WordPress site has been compromised?

ClickFix is a social engineering technique where attackers inject fake verification prompts (mimicking CAPTCHAs or browser update notices) into compromised WordPress sites. To check if your site is affected, scan for unexpected JavaScript injections in your theme files, particularly in header.php and footer.php. Look for obfuscated code blocks or scripts loading from unfamiliar domains. Run a WordPress integrity check using tools like WP-CLI or a security plugin like Wordfence.

Q: How do I know if my EDR has tamper protection enabled?

Log into your EDR management console and check the policy settings for each endpoint group. Look for terms like "tamper protection," "self-protection," "anti-tamper," or "service protection." If it's not enabled globally, enable it now and push the policy to all agents. If your vendor doesn't offer this feature, it's time to evaluate whether your EDR is sufficient against current ransomware tactics.

Q: What should I do if a third-party vendor notifies me of a breach?

Activate your incident response plan immediately. Identify what data the vendor held about your organisation or customers, assess whether that data triggers mandatory breach notification under the Notifiable Data Breaches (NDB) scheme in Australia, and notify affected individuals within 30 days if the breach is likely to result in serious harm. Document everything — your regulator will want a timeline.

Q: How can I tell if my network devices have been compromised by a China-nexus actor?

Watch for unexpected outbound traffic from routers or IoT devices, new SSH keys or credentials on devices you didn't configure, and devices communicating with known command-and-control infrastructure. The joint ACSC advisory includes specific IoCs — review them against your network traffic logs. If you don't have visibility into your network device traffic, that itself is the vulnerability.

Conclusion

This week's incidents share a common lesson: attackers are not breaking through your front door — they're coming through the side entrance you forgot to lock. The unpatched WordPress plugin, the endpoint running with local admin, the survey vendor you onboarded two years ago and never reassessed, the router nobody maintains. Each is a door, and each was opened this week. Your weekend action items: patch WordPress, audit local admin accounts, verify EDR tamper protection, list your third-party data holders, and segment anything on your network you can't actively monitor. Five tasks. Start now.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. ASD ACSC Advisory: ClickFix Distributing Vidar Stealer via WordPress Targeting Australian Infrastructure
  2. BleepingComputer: Gentlemen Ransomware Uses Multiple EDR Killers to Disable Defenses
  3. ASD ACSC Advisory: Defending Against China-Nexus Covert Networks of Compromised Devices
  4. BleepingComputer: Nintendo Confirms Data Stolen in WebMD Subsidiary Cyberattack

Verifier warning: verifier could not run (PluginLlmTrustError).

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation