Australian businesses warned over ClickFix attacks

PhishByte has warned Australian businesses about the ClickFix attack technique after the Australian Cyber Security Centre issued a dedicated alert on campaigns targeting organisations in Australia.

The technique is designed to evade the technical controls commonly used by small and medium-sized businesses. Rather than relying on malicious attachments, links or software exploits, it depends on social engineering.

First observed in 2024, ClickFix has spread as a method for delivering malware and credential-stealing tools. In the current campaigns, compromised WordPress sites belonging to legitimate Australian businesses display fake verification prompts to visitors.

Those prompts mimic Cloudflare checks or CAPTCHA screens. Malicious JavaScript then copies a PowerShell command to the visitor's clipboard and instructs the user to paste it into the Windows Run dialogue and execute it.

Because the victim runs the command, the attack can slip past several defensive layers businesses often rely on, including email security gateways, attachment scanning, drive-by download protections and endpoint monitoring tools.

One of the main payloads identified in the campaign is Vidar Stealer, an information-stealing malware service active since 2018. Once installed, it targets browser passwords, saved credentials, multifactor authentication tokens, autofill data, cryptocurrency wallet details and system information.

The malware also seeks active browser session cookies, which can allow attackers to access accounts without needing the victim's password. That weakens the protection normally offered by multifactor authentication if a session has already been established on the compromised device.

Vidar Stealer is also designed to make forensic investigation more difficult. After execution, it deletes its installer and continues to run in memory, while retrieving command-and-control infrastructure through dead-drop links on legitimate online services including Telegram bots and Steam profiles.

Human weakness

PhishByte argued that responding to ClickFix cannot rely on technical tools alone, particularly for smaller businesses with limited security resources. It pointed to Australian Cyber Security Centre guidance that identifies user education as a primary mitigation measure.

"Every layer of a standard SMB security stack is bypassed by this attack," PhishByte said. "Firewalls, email filters, endpoint tools; none of them can stop an employee who has been socially engineered into running a command on their own machine. The only effective control is an employee who knows that no legitimate website will ever ask them to copy code into their computer's Run or Terminal box to verify they are human. That is a training problem, not a technology problem."

The simplest message for staff is that no legitimate website will ask users to paste and run a command to prove they are human. Businesses should make that instruction part of immediate staff awareness efforts.

Immediate steps

Alongside employee training, PhishByte urged businesses to tighten controls around PowerShell. Most staff do not need access to run PowerShell commands, and execution should be limited to authorised users and approved scripts.

It also urged organisations to review their WordPress estates, since compromised WordPress websites are being used as the initial infection point. That includes updating installations, themes and plugins, and removing unused or unsupported components.

Businesses were also advised to compare their systems against indicators of compromise published by the Australian Cyber Security Centre. According to PhishByte, the advisory confirms the campaign has been active since early 2026 and has targeted Australian organisations across multiple sectors.

The warning reflects a broader shift in cyber attacks away from email-based phishing alone. Social engineering methods that prompt users to act directly on their devices can reduce the effectiveness of defences built around blocking malicious files or quarantining suspicious messages.

For Australian businesses, that leaves staff behaviour as a critical control point in attacks that begin on otherwise legitimate websites and rely on trust in familiar online verification prompts.