Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware.
ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash page that exactly mimics the real Windows update interface. Both require the user to paste a command from the clipboard, making the attack depend heavily on user interaction.
As shown by Joe Security, ClickFix now displays its deceptive instructions on a page designed to look exactly like a Windows update.
In full-screen mode, visitors running Windows see instructions telling them to copy and paste a malicious command into the Run box.
“Working on updates. Please do not turn off your computer.
Part 3 of 3: Check security
95% completeAttention!
To complete the update, install
the critical Security Update[… followed by the steps to open the Run box, paste “something” from your clipboard, and press OK to run it]
The “something” the attackers want you to run is an mshta command that downloads and runs a malware dropper. Usually, the final payload is the Rhadamanthys infostealer.
Technical details
If the user follows the displayed instructions this launches a chain of infection steps:
- Stage 1:
mshta.exedownloads a script (usually JScript). URLs consistently use hex-encoding for the second octet and often rotate URI paths to evade signature-based blocklists - Stage 2: The script runs PowerShell code, which is obfuscated with junk code to confuse analysis.
- Stage 3: PowerShell decrypts and loads a .NET assembly acting as a loader.
- Stage 4: The loader extracts the next stage (malicious shellcode) hidden within a resource image using custom steganography. In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion. In this case, the malware is embedded in specific pixel color data within PNG files, making detection difficult.
- Stage 5: The shellcode is injected into a trusted Windows process (like
explorer.exe), using classic in-memory techniques likeVirtualAllocEx,WriteProcessMemory, andCreateRemoteThread. - Final payload: Recent attacks delivered info-stealing malware like LummaC2 (with configuration extractors provided by Huntress) and the Rhadamanthys information stealer.
Details about the steganography used by ClickFix:
Malicious payloads are encoded directly into PNG pixel color channels (especially the red channel). A custom steganographic algorithm is used to extract the shellcode from the raw PNG file.
- The attackers secretly insert parts of the malware into the image’s pixels, especially by carefully changing the color values in the red channel (which controls how red each pixel is).
- To anyone viewing the picture, it still looks totally normal. No clues that it’s something more than just an image.
- But when the malware script runs, it knows exactly where to “look” inside the image to find those hidden bits.
- The script extracts and decrypts this pixel data, stitches the pieces together, and reconstructs the malware directly in your computer’s memory.
- Since the malware is never stored as an obvious file on disk and is hidden inside an innocent-looking picture, it’s much harder for anti-malware or security programs to catch.
How to stay safe
With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.
- Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
- Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
- Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
- Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
- Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!
Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!