Fake Windows update pushes malware in new ClickFix attack

Cybercriminals support getting amended astatine blending into the bundle you usage each day. 

Over the past fewer years, we've seen phishing pages that transcript banking portals, fake browser alerts that assertion your instrumentality is infected and "human verification" screens that propulsion you to tally commands you should ne'er touch. The latest twist comes from the ongoing ClickFix campaign.

Instead of asking you to beryllium you are human, attackers present disguise themselves arsenic a Windows update. It looks convincing capable that you mightiness travel the instructions without thinking, which is precisely what they want.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter.

NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES

The malware hides wrong seemingly mean representation files, utilizing steganography to gaffe past accepted information tools.  (Microsoft)

How the fake update works

Researchers noticed that ClickFix has upgraded its aged trick. The run utilized to trust connected quality verification pages, but present you get a full-screen Windows update surface that looks astir identical to the existent thing. Joe Security showed however the leafage displays fake advancement bars, acquainted update messages and a punctual that tells you to implicit a captious information update.

If you are connected Windows, the tract tells you to unfastened the Run box, transcript thing from your clipboard and paste it in. That "something" is simply a bid that silently downloads a malware dropper. The last payload is usually an infostealer, which steals passwords, cookies and different information from your machine.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO SLIP PAST FILTERS

Fake update screens are getting harder to spot arsenic attackers mimic Windows with near-perfect precision. (Joe Security)

The infinitesimal you paste the command, the corruption concatenation begins. First, z record called mshta.exe reaches retired to a distant server and grabs a script. To debar detection, these URLs often usage hex encoding for parts of the code and rotate their paths. The publication past runs obfuscated PowerShell codification filled with junk instructions to propulsion researchers off. Once PowerShell does its work, it decrypts a hidden .NET assembly that functions arsenic the loader.

Why is this onslaught truthful hard to detect?

The loader hides its adjacent signifier wrong what looks similar a regular PNG file. ClickFix uses customized steganography, which is simply a method that hides concealed information wrong normal-looking content. In this case, the malware sits wrong the image's pixel data. The attackers tweak colour values successful definite pixels, particularly successful the reddish channel, to embed pieces of shellcode. When you presumption the image, everything appears normal.

The publication knows precisely wherever the hidden information sits. It extracts the pixel values, decrypts them, and rebuilds the malware straight successful memory. That means thing evident is written to disk. Security tools that trust connected record scanning miss it, since the shellcode ne'er appears arsenic a standalone file.

Once rebuilt, the shellcode is injected into a trusted Windows process similar explorer.exe. The onslaught uses acquainted in-memory techniques specified arsenic VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. Recent ClickFix enactment has delivered infostealers similar LummaC2 and updated versions of Rhadamanthys. These tools are built to harvest credentials and nonstop them backmost to the attacker with precise small noise.

Once the hidden codification loads into a trusted Windows process, infostealers softly statesman harvesting your data. (Kurt "CyberGuy" Knutsson)

7 steps you tin instrumentality to support yourself from the ClickFix campaign

The champion mode to enactment protected is to dilatory down for a infinitesimal and travel a fewer steps that chopped disconnected these attacks earlier they start.

1) Never tally commands you didn't inquire for

If immoderate tract tells you to paste a bid into Run, PowerShell oregon Terminal, dainty it arsenic an contiguous informing sign. Real operating strategy updates ne'er necessitate you to tally commands from a webpage. When you tally that command, you manus afloat power to the attacker. If thing feels off, adjacent the leafage and don't interact further.

2) Keep Windows updates wrong Windows

Updates should lone travel from the Windows Settings app oregon done authoritative strategy notifications. A browser tab oregon pop-up pretending to beryllium a Windows update is ever fake. If you spot thing extracurricular the mean update travel asking for your action, disregard it and cheque the existent Windows Update leafage yourself.

3) Use a reputable antivirus

Choose a information suite that tin observe some file-based and in-memory threats. Stealthy attacks similar ClickFix debar leaving evident files for scanners to prime up. Tools with behavioral detection, sandboxing and publication monitoring springiness you a overmuch amended accidental of spotting antithetic enactment early.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

4) Use a password manager

Password managers make strong, unsocial passwords for each relationship you use. They besides autofill lone connected morganatic websites, which helps you drawback fake login pages. If a manager refuses to capable retired your credentials, instrumentality a 2nd look astatine the URL earlier entering thing manually.

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2025 at Cyberguy.com.

5) Use a idiosyncratic information removal service

Many attacks commencement by targeting emails and idiosyncratic details already exposed online. Data removal services assistance shrink your integer footprint by requesting takedowns from information broker sites that cod and merchantability your information. They can't erase everything, but reducing your vulnerability means less attackers person casual entree to your details.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

6) Check URLs earlier trusting anything

A convincing layout doesn't mean it is legitimate. Always look astatine the domain sanction first. If it doesn't lucifer the authoritative tract oregon uses unusual spelling oregon other characters, adjacent it. Attackers trust connected the information that radical recognise a page's plan but disregard the code bar.

7) Close suspicious full-screen pages

Fake update pages often tally successful full-screen mode to fell the browser interface and marque the leafage look similar portion of your computer. If a tract abruptly goes afloat surface without your permission, exit with Esc oregon Alt+Tab. Once you're out, scan your strategy and don't instrumentality to that page.

Kurt's cardinal takeaway

ClickFix works due to the fact that it leans connected idiosyncratic interaction. Nothing happens unless you travel the instructions connected the screen. That makes the fake Windows update leafage particularly dangerous, due to the fact that it taps into thing astir radical trust. If you are utilized to Windows updates freezing your screen, you whitethorn not question a punctual that appears during the process. Cybercriminals cognize this. They transcript trusted interfaces to little your defender and past trust connected you to tally the last command. The method tricks that travel are complex, but the starting constituent is simple. They request you to assistance them.

Do you ever transcript commands from a website without reasoning doubly astir what they do? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 

Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.