ACSC Warns of ClickFix Campaign Spreading Vidar Stealer – What You Need to Know

Overview of the Threat

The Australian Cyber Security Centre (ACSC) has issued an urgent alert about a sustained malware campaign leveraging the ClickFix social engineering technique to deliver the Vidar Stealer info-stealer malware. This campaign targets organizations across multiple sectors, aiming to harvest credentials, cryptocurrency wallets, and sensitive files.

How ClickFix Works

ClickFix is a deceptive social engineering method that tricks users into performing actions that compromise their systems. Attackers typically send emails or display fake error messages instructing the victim to click a button or follow a link to fix an alleged issue. Once clicked, the victim unknowingly downloads and executes the Vidar Stealer payload.

Common scenarios include:

• Fake browser update prompts
• False error messages stating a document cannot be opened without a plugin
• Phishing emails urging users to download a security patch

The technique exploits user trust and urgency, making it highly effective against unsuspecting employees.

What Is Vidar Stealer?

Vidar Stealer is a known information-stealing malware, often sold as a malware-as-a-service on underground forums. Once installed, it can:

• Exfiltrate saved passwords and cookies from web browsers
• Steal cryptocurrency wallet data (e.g., from extensions like MetaMask, Exodus)
• Harvest system information and files from desktops and document folders
• Capture screenshots and communicate with command-and-control servers

The malware is designed to be silent, often staying resident in memory without writing files to disk, making detection harder.

Recent Campaign Details

According to the ACSC, this campaign has been observed since early 2025, with targeted organizations in Australia, the United States, and Europe. Attackers appear to focus on sectors such as finance, healthcare, and critical infrastructure. The campaign uses ClickFix lures embedded in spear-phishing emails that appear to come from legitimate vendors or internal IT support.

Targets and Potential Impact

The primary victims are employees with access to sensitive systems and financial data. The impact of a successful Vidar Stealer infection includes:

• Credential theft: Leading to lateral movement within networks
• Financial loss: via stolen cryptocurrency or banking details
• Data breaches: Exposure of proprietary information and customer data
• Reputational damage: Loss of trust from clients and partners

The ACSC emphasizes that the risk is not limited to large enterprises – small and medium businesses are equally vulnerable due to fewer security controls.

Mitigation and Best Practices

To defend against ClickFix attacks and Vidar Stealer, the ACSC recommends the following measures:

1. User training: Educate employees to recognize social engineering tactics, especially unsolicited prompts to download files or run scripts.
2. Email security: Implement advanced email filtering to block phishing attempts and malicious attachments.
3. Endpoint protection: Use antivirus and endpoint detection tools that can identify and block Vidar Stealer behavior.
4. Application control: Restrict execution of downloaded content from the internet, especially in Office and scripting languages.
5. Least privilege: Limit user permissions to reduce the damage from credential theft.
6. Incident response: Have a plan in place for quickly isolating infected systems and reporting to authorities.

Additional Technical Controls

Security teams should monitor for indicators of compromise such as unusual outbound connections to known malicious IPs, sudden increases in file encryption activity, or attempts to access browser credential stores. The ACSC provides detailed IoC lists in their official advisory.

Conclusion

The ClickFix campaign distributing Vidar Stealer represents a persistent threat that leverages human psychology rather than technical exploits. Organizations must adopt a layered defense approach combining user awareness, robust email security, and proactive endpoint monitoring. The ACSC continues to update its guidance as the campaign evolves, urging all entities to stay vigilant and report any suspicious activity.