Australia’s cybersecurity authorities have issued an official warning regarding an active and escalating wave of “ClickFix” attacks targeting Australian users and organisations, with the campaigns delivering the notorious Vidar Stealer malware. ClickFix is a social engineering technique that tricks victims into manually executing malicious commands on their own systems by presenting them with fake error messages or CAPTCHA prompts that instruct them to copy and paste malicious code into their Windows Run dialog or PowerShell terminal. The deceptive simplicity of the technique makes it particularly effective, as it bypasses many traditional security controls by manipulating the user into becoming an unwitting participant in their own compromise.
Once the victim follows the fraudulent instructions, Vidar Stealer is deployed onto the system, a powerful and well-documented information-stealing malware capable of harvesting a wide range of sensitive data. Vidar is known to target saved browser credentials, passwords, cryptocurrency wallets, credit card information, session cookies, and other personally identifiable information stored on the infected machine. The stolen data is then exfiltrated back to attacker-controlled infrastructure, where it can be exploited directly or sold on dark web marketplaces, potentially enabling follow-on attacks such as account takeovers, financial fraud, and corporate network intrusions.
ACSC is urging both individuals and organisations to exercise extreme caution when encountering unexpected prompts asking them to run or paste commands into their systems, emphasising that legitimate websites and services will never instruct users to execute code manually in this manner. Security teams are advised to implement application controls, restrict PowerShell execution policies, and ensure endpoint detection and response tools are up to date and capable of identifying Vidar Stealer activity. Organisations are also encouraged to conduct targeted security awareness training to help employees recognise and report ClickFix-style social engineering attempts before they result in a successful compromise.